Malware developers are increasingly turning to unusual or “exotic” programming languages to hamper analysis efforts.
According to a new report published by BlackBerry’s Research & Intelligence team on Monday, there has been a recent “escalation” in the use of Go (Golang), D (DLang), Nim, and Rust, which are being used more commonly to “try to evade detection by the security community, or address specific pain-points in their development process.”
In particular, malware developers are experimenting with loaders and droppers written in these languages, created to be suitable for first and further-stage malware deployment in an attack chain.
BlackBerry’s team says that first-stage droppers and loaders are becoming more common in order to avoid detection on a target endpoint, and once the malware has circumvented existing security controls able to detect more typical forms of malicious code, they are used to decode, load, and deploy malware including Trojans.
Commodity malware cited in the report includes the Remote Access Trojans (RATs) Remcos and NanoCore. In addition, Cobalt Strike beacons are often deployed.
Some developers, however, with more resources at their disposal are rewriting their malware fully into new languages, an example being Buer to RustyBuer. Based on current trends, cybersecurity researchers say that Go is of particular interest to the cybercriminal community.
According to BlackBerry, both advanced persistent threat (APT) state-sponsored groups and commodity malware developers are taking a serious interest in the programming language to upgrade their arsenals. In June, CrowdStrike said a new ransomware variant borrowed features from HelloKitty/DeathRansom and FiveHands but used a Go packer to encrypt its main payload. The team says:
“This assumption is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns.”
While not as popular as Go, DLang, too, has experienced a slow uptick in adoption throughout 2021.
By using new or more unusual programming languages, the researchers say they may hamper reverse-engineering efforts and avoid signature-based detection tools, as well as improve cross-compatibility over target systems. The codebase itself may also add a layer of concealment without any further effort from the malware developer simply because of the language in which it is written.
