Analysts BlackBerry Research & Intelligence found out that criminals are increasingly turning to unusual and “exotic” programming languages while working on malware, thus making it difficult to analyze their malware, reverse engineering it, and make it difficult for security tools that rely on signatures.
According to the company, we are talking about languages such as Go (Golang), D (DLang), Nim and Rust, which are used by criminals to avoid detection by the cybersecurity community, as well as to solve specific problems in the development process. In particular, malware creators are actively experimenting with loaders and droppers written in these languages, which are suitable for deploying malware at the first and subsequent stages of an attack. Thus, defense mechanisms can detect an intrusion too late.
“Programs written using known malicious techniques, but in a new language, are usually not detected as quickly as programs written in a more mature language. Downloaders, droppers and wrappers often simply change the first stage of the infection process, but do not affect the main components of a malicious campaign, ”the experts explain.
The BlackBerry Research & Intelligence report lists the following cases of reworking existing malware or creating new tools in lesser known languages:
- Dlang: DShell, Vovalex, OutCrypt, RemcosRAT;
- Go: ElectroRAT, EKANS (also known as Snake), Zebrocy, WellMess, ChaChi;
- Him: Cobalt Strike loaders based on Nim, NimzaLoader, Zebrocy, DeroHE;
- Rust: Convuster adware, RustyBuer, TeleBots downloader and backdoor, NanoCore dropper, PyOxidizer.
Based on current trends, the researchers say the Go language is of particular interest to criminals. Both “government hackers” and developers of mass malware work with him. For example, in June of this year, CrowdStrike analysts reported about a new variant of the ransomware that borrowed a number of functions from HelloKitty / DeathRansom and FiveHands, but used the Go wrapper to encrypt the main payload.
“Our assumptions are based on the fact that new samples written in Go now appear on an almost regular basis. This applies to malware of all types that targets all major operating systems in a variety of malicious campaigns, ”the experts conclude.