Malware developers increase use of the unusual programming languages

malware and unusual programming languages

BlackBerry Research & Intelligence analysts have found that criminals are increasingly turning to unusual and exotic programming languages while working on malware, thus making it difficult to analyse their malware, reverse engineer it, and make it difficult for security tools that rely on signatures.

According to the company, the talk is about about languages such as Go (Golang), D (DLang), Nim and Rust, which are used by criminals to avoid detection by the cybersecurity community, as well as to solve specific problems in the development process.

In particular, malware creators are actively experimenting with loaders and droppers written in these languages, which are suitable for deploying malware at the first and subsequent stages of an attack. Thus, defense mechanisms can detect an intrusion too late.

Programs written using known malicious techniques, but in a new language, are usually not detected as quickly as programs written in a more mature language. Loaders, droppers and wrappers often simply change the first stage of the infection process, but do not affect the main components of a malicious campaign.the experts explain.

The BlackBerry Research & Intelligence report lists the following cases of reworking existing malware or creating new tools in lesser known languages:

  • Dlang: DShell, Vovalex, OutCrypt, RemcosRAT;
  • Go: ElectroRAT, EKANS (also known as Snake), Zebrocy, WellMess, ChaChi;
  • Nim: Cobalt Strike loaders based on Nim, NimzaLoader, Zebrocy, DeroHE;
  • Rust: adware Convuster, RustyBuer, TeleBots downloader and backdoor, NanoCore dropper, PyOxidizer.

Based on current trends, the researchers say the Go language is of particular interest to criminals. Both “government hackers” and developers of mass malware work with it. For example, in June of this year, CrowdStrike analysts reported a new variant of the ransomware that borrowed a number of functions from HelloKitty / DeathRansom and FiveHands, but used the Go wrapper to encrypt the main payload.

Our assumptions are based on the fact that new samples of [malware] written in Go are now appearing on an almost regular basis. This applies to malware of all types that targets all major operating systems in a variety of malicious campaigns.the experts conclude.

Let me remind you that I, for example, wrote that Rust will become one of the main development languages for Android due to security.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *