The surge in cybercrime ecosystems and underground forums has led to a substantial increase in stealer malware variants, facilitated by Malware-as-a-Service (MaaS) platforms addressing specific needs and vulnerabilities. This talk delves into the intricate details of a modern malware ecosystem named Warp, characterized by its high level of sophistication and multifunctionality. Warp, crafted in the GO programming language, comprises various components such as a loader, dropper, and stealer, typical of a malware ecosystem. This infection process leads to modified version of Stealerium infostealer, which is a potent malware adept at extracting sensitive information while employing anti-analysis techniques.

This paper conducts an in-depth technical analysis of the components comprising the Go-based Warp malware ecosystem and how the infection chain unfolds. The analysis covers the reversal of Go-based binaries using IDA Pro, the utilization of random API calls and various search engines to mask C2 traffic, and an exploration of the Telegram bot used for C2. Additionally, the UAC bypass through RPC requests via the ALPC kernel feature and an overview of the Avast anti-rootkit functionality employed to disable AV/EDR solutions are discussed which are linked to the dropper component. The paper also highlights the distinctions between Warp Stealer’s Telegram and Stealerium’s Discord, both used for C2 communication, shedding light on the diverse functionalities incorporated within this complex malware ecosystem.