Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and hinder analysis. Use of the four languages is escalating in the number of malware families being identified. A team of researchers chose the languages to examine, partly because they fit its detection methodologies, but since the languages have strong community backing and could be considered more developed.
These uncommon programming languages are no longer as rarely used as once thought, as threat actors have begun to adopt them to re-write known malware families or create tools for new malware sets. Specifically, researchers are tracking more loaders and droppers being written in rarer languages. These new first-stage pieces of malware are designed to decode, load, and deploy commodity malware such as the Remcos and NanoCore Remote Access Trojans (RATs), as well as Cobalt Strike. These have been commonly used to help threat actors evade detection on the endpoint.
In fact, the use of the legitimate Cobalt Strike security tool has exploded: its usage in cyberattacks is up 161% year-on-year, having gone fully mainstream in the cyber crime world. Malware creators might have a reputation for being slow to let go of whatever’s working, but they’re happy to pick up new programming languages for the same reasons as their law-abiding counterparts. It helps to rub out pain points in the development cycle, for one. Also, new languages keep their creations a step – or two, or three – ahead of protection tools.
Researchers explained a number of reasons why using less common languages helps cyber attackers to successfully hack their victims:
- Making up for deficits in existing languages: malicious programmers could be after a number of things they’re lacking in other languages, be it simpler syntax, performance boosts or more efficient memory management. A new language might be the perfect tool for a given, targeted environment.
- Improving obfuscation: when it comes to exotic languages, the language itself can almost act as obfuscation, given the fact that it’s new. The languages themselves can have a similar effect to traditional obfuscation and can be used to attempt to bypass conventional security measures and hinder analysis efforts.
- Cross-compilation more efficiently targets Windows & Mac: a malware developer can author one piece of malware variant and cross-compile it to target the multiple architectures and operating systems used in most businesses. Malware authors need fewer tools to target networks and can thereby cast a wider net with less work.
Alternatively, cyber criminals with resources are completely rewriting existing malware in new languages, as opposed to just wrappers and loaders. Researchers suggested that in order to catch these multi-language malware families, software engineers and threat researchers will stand a better chance if they employ dynamic or behavioural signatures, that tag behaviour via sandbox output, or endpoint detection and response (EDR), or log data.
Neuways advises that as it will take time for malware sample analysis tools to catch up to these new languages, it’s imperative for businesses to remain proactive in the defence against malware written in new code. It is critical that industries and businesses understand and keep tabs on these trends, as they are only going to increase in the meantime.