When it comes to cybercrime, even malware developers need to brush up on certain programming languages to stay current.
Increasingly, malware authors are turning to four “exotic” programming languages—Go, DLang, Nim and Rust—to either give new life to older malware or as effective methods to hide their malicious code from security tools, all while avoiding analysis efforts by researchers. That’s according to a recent report published by BlackBerry’s Research & Intelligence division.
In many cases, malware developers are turning to these four languages to create new arrays of droppers and loaders that help form the first stage of an attack, according to BlackBerry.
Once these malicious tools have avoided detection and implant themselves within a network, the loader or dropper written in one of these languages can then retrieve second-stage malware, such as Remote Access Trojans (RATs) or malicious versions of legitimate tools such as Cobalt Strike, the report noted. All the while, this malware helps create a layer of obfuscation, making analysis of the attack more difficult.
“Each of these languages is relatively new and has little in the way of fully supported analysis tooling,” the researchers wrote. “As such, they can appear quite alien under the hood. It is because of their relative youth and obscurity that the languages themselves can have a similar effect to traditional obfuscation and be used to attempt to bypass conventional security measures and hinder analysis efforts.”
At the same time, cybercriminals and underground developers are eager to show off their skills. Building malware requires creativity, said Matthew Westfall, principal security consultant at tech firm nVisium.
“While commodity and weaponized malware have long dominated the threat landscape, an investigation into the world of non-commercial virus research shows there is still an active cohort of enthusiasts who are motivated by the thrill of implementation,” Westfall told Dice. “The challenge of ‘giving life’ to new languages and technologies through self-replicating code may be a more resilient force than strategic or financial gain, and it should be considered alongside other factors as new technology is evaluated for its uses and risks.”
“Sometimes the malicious code is used for the delivery and infection aspect of the malware operations, and other times they are the primary threat being installed,” Kujawa told Dice. “It all depends on the platform and the desired capability of the attacker. For malware written for Android systems, you would probably use Java, and in the case of infecting a Mac, they might use Swift or Objective-C.”
What the BlackBerry researchers noticed is that attackers are now taking older malware and using these four specific languages to upgrade the code. “Older malware written in traditional languages like C++ and C# is actively being given new life with droppers and loaders written in exotic languages,” the report noted.
In this way, the older malware is “wrapped” in a dropper or loader written in a newer language and then delivered to a vulnerable device and network, which then allows the attacker to avoid detection and analysis, the researchers found.
Of the four programming languages that the report examined, the majority of the malicious code tracked by the researchers was written in Go, Google’s open source programming language that was officially released in 2012. BlackBerry found that developers of all stripes are relying more on Go due to reliability and efficiency.
As the Go language has increased in popularity, more malware authors are using it. The BlackBerry report documents cryptominers as well as RATs that can deliver other malicious code written in Go. In one case, a ransomware variant called Ekans or Snake was developed using Go.
Rust Never Sleeps
While Go is the go-to language for many malware authors, there are multiple examples of the other programming languages used to develop malicious code.
In May, security firm Proofpoint published a report that found malware called Buer, which acts as a first-stage loader, had been rewritten in Rust in what appeared to be an effort to avoid security detection.
The researchers called the revamped malware RustyBuer after locating the malicious code in phishing emails.
“Our analysts assessed that rewriting the malware in Rust as opposed to C could enable the threat actor to better evade existing Buer detection capabilities. In some cases, Proofpoint observed RustyBuer campaigns delivering Cobalt Strike Beacon as a second-stage payload,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Dice. “Overall, it is not uncommon for threat actors to continue to modify their payloads in a likely attempt to evade detection.”
Whether using Go, Rust or another of the so-called exotic programming languages, the cybercriminals’ goal is to avoid detection for long periods of time and, if possible, ensure that researchers have a difficult time analyzing how the code is written, said Dirk Schrader, global vice president for security research at New Net Technologies.
“Whenever something makes it harder for security researchers or malware analysts, it is a go-to for cyber-criminals. Obfuscation by uncommon programming languages which can be used across platforms is certainly such an aspect, and if that programming language is also hard to reverse-engineer, the better,” Schrader told Dice.
“It is a ‘hide-and-seek game,’ where anything that helps the hiding party is welcomed,” Schrader added. “The difficulty for the seekers is to find out which languages are used and what the characteristics are, which is a substantial effort when the goal is to automate any subsequent analysis as much as possible. As this automation is ultimately needed to keep with the pace of malware variants, it is clear why this hide-and-seek is serious business.”