Malicious actors are increasingly coding in more “exotic” programming languages to write new strains of malware on the basis that using new, lesser-known, or otherwise uncommon languages will help their attacks evade detection and hinder analysis.
According to a whitepaper produced by BlackBerry’s Research and Intelligence Team, this is what has shed light on the use of less prolific languages in the cybercriminal space.
“Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,” said BlackBerry threat research vice-president Eric Milam.
“This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions. Industry and customers must understand and keep tabs on these trends as they are only going to increase.”
BlackBerry’s researchers targeted four uncommon languages to analyze: Go, D, Nim, and Rust, all of which its detection tools have seen being used more for malicious intent of late. Milam said these languages also piqued the team’s interest because they are considered more developed and have strong backing in the legitimate developer community.
There are several reasons why new programming languages are adopted in general use – they may remediate a deficit in an existing language, offer simpler syntax, boost performance, use memory more efficiently, or better suit a particular usage environment. The user-friendly nature of some new languages can also make life much easier for developers.
For malicious developers, however, such languages bring other benefits. For example, they can significantly hamper reverse-engineering efforts, as malware analysis tooling does not always adequately support uncommon languages. In the case of those analyzed by BlackBerry, binaries written in them can seem “more complex, convoluted and tedious” compared to traditional C, C++, or C#-based counterparts.
These languages can also thwart existing signature-based detection tools because their effectiveness depends on specific static characteristics being present in a file – qualities that do not change or require the file to execute to be detected, such as hashes. If malware is written in a new language – such as BazarLoader, which has recently been rewritten in Nim to become NimzaLoader – signatures written to detect previous iterations won’t work.
Other malware has been similarly rejuvenated by adding loaders written in new languages, which is attractive to malicious developers. It means they don’t have to recode the entire malware, just the packaging.
Other plus points for malicious developers include the ability to use uncommon languages to act as a layer of obfuscation simply due to their relative youth and obscurity and to cross-compile new malware to target Windows and MacOS environments simultaneously.
Out of the four languages analyzed in the compilation of its whitepaper, BlackBerry found that Go has now matured to the point where it is becoming a go-to language for malicious actors, both at the advanced persistent threat (APT) commodity level for developing new strains of malware.
It said new Go-based samples are now appearing regularly, targeting all major operating systems in multiple observed campaigns. Along with Nim, Go is increasingly being used to compile initial stagers for Cobalt Strike. D appears to be a slow burner, despite its adoption by legitimate developers, but it sees an uptick in 2021.