The FLARE team often encounters Go malware protected by garble encryption, presenting challenges like stripped binaries and encrypted strings. To address this, a new tool called GoStringUngarbler is introduced to automatically decrypt garble-obfuscated Go binaries, simplifying static analysis and malware detection. Garble modifies Go binaries during compilation by manipulating Abstract Syntax Trees (AST) to obfuscate the output while maintaining program integrity. The blog post discusses garble’s literal transformations, including stack, seed, swap, and shuffle techniques, which are detailed with code examples and decompilation results. Garble’s split transformation is highlighted as a sophisticated tactic that fragments encrypted strings and manipulates control flow to deter analysis.
https://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries