Malicious actors are increasingly coding in more “exotic” programming languages to write new strains of malware on the basis that using new, lesser-known or otherwise uncommon languages will help their attacks evade detection and hinder analysis.
This is according to a whitepaper produced by BlackBerry’s Research and Intelligence Team, which has shed light on the use of less prolific languages in the cyber criminal space.
“Malware authors are known for their ability to adapt and modify their skills and behaviours to take advantage of newer technologies,” said BlackBerry threat research vice-president Eric Milam.
“This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions. It is critical that industry and customers understand and keep tabs on these trends as they are only going to increase.”
BlackBerry’s researchers targeted four uncommon languages to analyse: Go, D, Nim and Rust, all of which its detection tools have seen being used more for malicious intent of late. Milam said these languages also piqued the team’s interest because they are considered more developed and have strong backing in the legitimate developer community.
There are several reasons why new programming languages are adopted in general use – they may remediate a deficit in an existing language, offer simpler syntax, boost performance, use memory more efficiently, or better suit a particular usage environment. The user-friendly nature of some new languages can also make life much easier for developers.
For malicious developers, however, such languages bring other benefits. For example, they can significantly hamper reverse-engineering efforts, as many malware analysis tooling does not always adequately support uncommon languages. In the case of those analysed by BlackBerry, binaries written in them can seem “more complex, convoluted and tedious” compared to traditional C, C++ or C#-based counterparts.
These languages can also thwart existing signature-based detection tools because their effectiveness depends on specific static characteristics being present in a file – qualities that do not change or require the file to execute to be detected, such as hashes. If malware is written in a new language – such as BazarLoader, which has recently been rewritten in Nim to become NimzaLoader – signatures written to detect previous iterations won’t work.
Other malwares have been similarly rejuvenated by adding loaders written in new languages, which is attractive to malicious developers as it means they don’t have to recode the entire malware, just the packaging.
Other plus points for malicious developers include the ability to use uncommon languages to act as a layer of obfuscation that simply due to their relative youth and obscurity, and to cross-compile new malwares to target Windows and MacOS environments simultaneously.
Out of the four languages analysed in the compilation of its whitepaper, BlackBerry found that Go has now matured to the point where it is becoming a go-to language for malicious actors, both at the advanced persistent threat (APT) and commodity level for developing new strains of malware.
It said new Go-based samples are now appearing on a regular basis, targeting all major operating systems in multiple observed campaigns. Along with Nim, Go is increasingly being used to compile initial stagers for Cobalt Strike. D appears to be a slow burner, despite its adoption by legitimate developers, but it is seeing an uptick in 2021.