Found by Symantec in the wild, the Encriyoko Trojan has some of its components written in Go that once installed on a target system attempts to encrypt files using the Blowfish algorithm thus rendering the files unusable. Symantec warns in a blog post, “Restoration of the encrypted files will be difficult, if not impossible.”

A sample of the file, GalaxyNxRoot.exe, written in .NET that acted as a dropper by disguising itself as a tool to ‘root’ Samsung Galaxy Smartphones was first discovered by Symantec. Gullible users may download the file thinking that they will be able to root their Galaxy handsets and install custom ROM on their smartphones. Once executed the GalaxyNxRoot.exe drops two files which are both written in Google’s Go – {b2f8038cca59418a55fa2a773bdd1308d9b98f2083b1773270b153fdacce5890}Temp{b2f8038cca59418a55fa2a773bdd1308d9b98f2083b1773270b153fdacce5890}PPSAP.exe, {b2f8038cca59418a55fa2a773bdd1308d9b98f2083b1773270b153fdacce5890}Temp{b2f8038cca59418a55fa2a773bdd1308d9b98f2083b1773270b153fdacce5890}adbtool.exe.

According to Symantec PPSAP.exe is an information stealing Trojan while the adbtool.exe downloads an encrypted file from a remote server. The encrypted file is decrypted into a Dynamic-link library (DLL) file which then attempts to encrypt various file formats on the victim computer. Some of the file formats are .jpg, .png, .wma, .doc, .xls, .pdf, among others. Below is the screenshot showing some of the file formats that the Trojan targets.


Paul Wood, a security researcher at Symantec told El Reg, “The advantage for VXers could be that they are more familiar with that specific language as opposed to some other languages and the language itself may offer some degree of flexibility in coding terms.”

“It also might be more resilient to reversing attempts by researchers as Go isn’t really mainstream. The latter may be more a perception by the coders than in reality”, he added.