Malicious actors are increasingly coding in more “exotic” programming languages to write new strains of malware on the basis that using new, lesser-known, or otherwise uncommon languages will help their attacks evade detection and hinder analysis.
According to a whitepaper produced by BlackBerry’s Research and Intelligence Team, this has shed light on using less prolific languages in the cybercriminal space.
“Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,” said BlackBerry threat research vice-president Eric Milam.
“This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions. Industry and customers must understand and keep tabs on these trends as they are only going to increase.”
BlackBerry’s researchers targeted four uncommon languages to analyze: Go, D, Nim, and Rust, all of which its detection tools have seen being used more for malicious intent of late. Milam said these languages also piqued the team’s interest because they are considered more developed and have strong backing in the legitimate developer community.
There are several reasons why new programming languages are adopted in general use – they may remediate a deficit in an existing language, offer simpler syntax, boost performance, use memory more efficiently, or better suit a particular usage environment. The user-friendly nature of some new languages can also make life much easier for developers.
For malicious developers, however, such languages bring other benefits. For example, they can significantly hamper reverse-engineering efforts, as malware analysis tooling does not always adequately support uncommon languages. For those analyzed by BlackBerry, binaries written in them can seem “more complex, convoluted and tedious” compared to traditional C, C++, or C#-based counterparts.
These languages can also thwart existing signature-based detection tools because their effectiveness depends on specific static characteristics in a file – qualities that do not change or require the file to execute to be detected, such as hashes. If malware is written in a new language – such as BazarLoader, which has recently been rewritten in Nim to become NimzaLoader – signatures written to detect previous iterations won’t work.
Other malware has been similarly rejuvenated by adding loaders written in new languages, which is attractive to malicious developers. It means they don’t have to recode the entire malware, just the packaging.
Other plus points for malicious developers include using uncommon languages to act as a layer of obfuscation simply due to their relative youth and obscurity and cross-compiling new malware to target Windows and MacOS environments simultaneously.
Out of the four languages analyzed in the compilation of its whitepaper, BlackBerry found that Go has matured to the point where it is becoming a go-to language for malicious actors, both at the advanced persistent threat (APT) commodity level for developing new malware strains.
It said new Go-based samples now appear regularly, targeting all major operating systems in multiple observed campaigns. Along with Nim, Go is increasingly used to compile initial stagers for Cobalt Strike. Despite its adoption by legitimate developers, D appears to be a slow burner, but it will see an uptick in 2021.
