Cyber criminals now aim to evade cyber security detection through the use of “exotic” programming languages. These include Go, Rust, Nim and Dlang. Binaries composed in these languages are more complex, convoluted and difficult to decipher than those written in traditional programming languages.
By and large, researchers believe that malware scripts written in a new language, yet relying on the same malicious techniques as previously are not typically detected at the same rate as those composed in a more mature programming language.
“In the never ending industry of malware creation, the use of exotic programming languages looks to trip up reverse engineering efforts and tries to avoid identification through signature-based detection for example,” says Check Point security expert, Mark Ostrowski.
Relearning programming languages & security: Malware 101
Historically, malware authors have been known to “shape shift” and to evolve their tactics in order to sneak past security architectures. Across the past decade, a significant volume of malware has been written in the aforementioned languages, Go, Rust, Nim and Dlang. Examples include:
- Go: ElectroRAT, EKANS (aka Snake), Zebrocy, WellMess, ChaChi
- Dlang: DShell, Vovalex, OutCrypt, RemcosRAT
- Nim: NimzaLoader, Zebrocy, DeroHE, Nim-based Cobalt Strike loaders
- Rust: Convuster Adware, RustyBuer, TeleBots Downloader and Backdoor, NanoCore Dropper, PyOxidizer
In 2021, Go-based malware samples appeared to hit systems on a semi-regular basis. The Go-oriented malware campaigns target all major operating systems. Increased use of DLang has also come to experts’ attention.
In many of these cases, the loaders, droppers and wrappers (etc.) alter and obfuscate the first stage of the malware delivery process. The main components of the malware campaigns remain the same, serving to hide certain structural modifications.
Malware authors with time and resources available are fully rewriting code, rather than simply using wrappers and loaders. Examples include BazaLoader, which has been exchanged for NimzaLoader and Buer, which has been switched to RustyBuer.
Exotic programming languages have been used by groups like APT28, APT29, Fancy Bear and Strontium. Delivery methods mostly take the form of malicious email attachments.
Malware 101: Exotic malware prevention
To identify these marauding malware types, IT teams and cyber security experts may want to leverage dynamic or behavioral signatures, which can tag behavioral sandbox output, or endpoint detection and response or that log data.
In the event that static signatures fail, organizations may wish to deploy implementation-agnostic detection rules. These can tag dynamic behaviors. “In other circumstances such as shellcode loaders, which often inject into processes using a limited subset of Windows API calls, they can be identified using that limited subset,” states a report on the subject.
According to researchers, libraries within a binary can commonly be “signaturized”. This enables the use of a near-identical methodology to that of better-known languages, such as C++. While this possibility isn’t always available, it can help.
Malware sample analysis tools may not be able to pick up on these new languages immediately. However, the security community can still remain proactive in defending against the malicious use of these programming languages.