BlackBerry Research & Intelligence analysts have found that criminals are increasingly turning to unusual and exotic programming languages while working on malware, thus making it difficult to analyse their malware, reverse engineer it, and make it difficult for security tools that rely on signatures.
According to the company, the talk is about about languages such as Go (Golang), D (DLang), Nim and Rust, which are used by criminals to avoid detection by the cybersecurity community, as well as to solve specific problems in the development process.
In particular, malware creators are actively experimenting with loaders and droppers written in these languages, which are suitable for deploying malware at the first and subsequent stages of an attack. Thus, defense mechanisms can detect an intrusion too late.
The BlackBerry Research & Intelligence report lists the following cases of reworking existing malware or creating new tools in lesser known languages:
- Dlang: DShell, Vovalex, OutCrypt, RemcosRAT;
- Go: ElectroRAT, EKANS (also known as Snake), Zebrocy, WellMess, ChaChi;
- Nim: Cobalt Strike loaders based on Nim, NimzaLoader, Zebrocy, DeroHE;
- Rust: adware Convuster, RustyBuer, TeleBots downloader and backdoor, NanoCore dropper, PyOxidizer.
Based on current trends, the researchers say the Go language is of particular interest to criminals. Both “government hackers” and developers of mass malware work with it. For example, in June of this year, CrowdStrike analysts reported a new variant of the ransomware that borrowed a number of functions from HelloKitty / DeathRansom and FiveHands, but used the Go wrapper to encrypt the main payload.
Let me remind you that I, for example, wrote that Rust will become one of the main development languages for Android due to security.