/>
X

Malware developers turn to 'exotic' programming languages to thwart researchers

They are focused on exploiting pain points in code analysis and reverse-engineering.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on

Malware developers are increasingly turning to unusual or "exotic" programming languages to hamper analysis efforts, researchers say. 

According to a new report published by BlackBerry's Research & Intelligence team on Monday, there has been a recent "escalation" in the use of Go (Golang), D (DLang), Nim, and Rust, which are being used more commonly to "try to evade detection by the security community, or address specific pain-points in their development process."

In particular, malware developers are experimenting with loaders and droppers written in these languages, created to be suitable for first and further-stage malware deployment in an attack chain. 

BlackBerry's team says that first-stage droppers and loaders are becoming more common in order to avoid detection on a target endpoint, and once the malware has circumvented existing security controls able to detect more typical forms of malicious code, they are used to decode, load, and deploy malware including Trojans. 

Commodity malware cited in the report includes the Remote Access Trojans (RATs) Remcos and NanoCore. In addition, Cobalt Strike beacons are often deployed. 

Some developers, however -- with more resources at their disposal -- are rewriting their malware fully into new languages, an example being Buer to RustyBuer.

Based on current trends, the cybersecurity researchers say that Go is of particular interest to the cybercriminal community. 

According to BlackBerry, both advanced persistent threat (APT) state-sponsored groups and commodity malware developers are taking a serious interest in the programming language to upgrade their arsenals. In June, CrowdStrike said a new ransomware variant borrowed features from HelloKitty/DeathRansom and FiveHands, but used a Go packer to encrypt its main payload. 

"This assumption is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns," the team says. 

While not as popular as Go, DLang, too, has experienced a slow uptick in adoption throughout 2021.

By using new or more unusual programming languages, the researchers say they may hamper reverse-engineering efforts and avoid signature-based detection tools, as well as improve cross-compatibility over target systems. The codebase itself may also add a layer of concealment without any further effort from the malware developer simply because of the language in which it is written. 

"Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies," commented Eric Milam, VP of Threat Research at BlackBerry. "This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions. It is critical that industry and customers understand and keep tabs on these trends, as they are only going to increase."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Related

This sophisticated malware is targeting routers to break into networks
wireless-router-hand.jpg

This sophisticated malware is targeting routers to break into networks

Security
Google looks to reduce pushback bias in developers' software code review
close up programmer man hand typing on keyboard at computer desktop for input coding language to software for fix bug and defect of system in operation room , technology concept

Google looks to reduce pushback bias in developers' software code review

Developer
Google will create a $90M fund for developers to settle class-action lawsuit
gettyimages-1145131154.jpg

Google will create a $90M fund for developers to settle class-action lawsuit

Developer