Malware developers turn to 'exotic' programming languages to thwart researchers

They are focused on exploiting pain points in code analysis and reverse-engineering.

Malware developers are increasingly turning to unusual or "exotic" programming languages to hamper analysis efforts, researchers say. 

ZDNet Recommends

The most popular programming languages and where to learn them

Upskilling will be a part of work's new normal. Here's a look at the most popular programming languages based on surveys and courses for them.

Read More

According to a new report published by BlackBerry's Research & Intelligence team on Monday, there has been a recent "escalation" in the use of Go (Golang), D (DLang), Nim, and Rust, which are being used more commonly to "try to evade detection by the security community, or address specific pain-points in their development process."

In particular, malware developers are experimenting with loaders and droppers written in these languages, created to be suitable for first and further-stage malware deployment in an attack chain. 

BlackBerry's team says that first-stage droppers and loaders are becoming more common in order to avoid detection on a target endpoint, and once the malware has circumvented existing security controls able to detect more typical forms of malicious code, they are used to decode, load, and deploy malware including Trojans. 

Commodity malware cited in the report includes the Remote Access Trojans (RATs) Remcos and NanoCore. In addition, Cobalt Strike beacons are often deployed. 

Some developers, however -- with more resources at their disposal -- are rewriting their malware fully into new languages, an example being Buer to RustyBuer.

Based on current trends, the cybersecurity researchers say that Go is of particular interest to the cybercriminal community. 

According to BlackBerry, both advanced persistent threat (APT) state-sponsored groups and commodity malware developers are taking a serious interest in the programming language to upgrade their arsenals. In June, CrowdStrike said a new ransomware variant borrowed features from HelloKitty/DeathRansom and FiveHands, but used a Go packer to encrypt its main payload. 

"This assumption is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns," the team says. 

While not as popular as Go, DLang, too, has experienced a slow uptick in adoption throughout 2021.

By using new or more unusual programming languages, the researchers say they may hamper reverse-engineering efforts and avoid signature-based detection tools, as well as improve cross-compatibility over target systems. The codebase itself may also add a layer of concealment without any further effort from the malware developer simply because of the language in which it is written. 

"Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies," commented Eric Milam, VP of Threat Research at BlackBerry. "This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions. It is critical that industry and customers understand and keep tabs on these trends, as they are only going to increase."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0