Hackers turning to 'exotic' languages for next-gen malware, report warns

Coding languages such as Go, Rust, Nim and DLang are allowing malware authors to avoid signature detection and add layers of obfuscation

Hackers are increasingly turning to relatively obscure programming languages when coding malware in a bid to avoid detection and pose greater challenges for the cyber security industry.

Security professionals are coming across greater numbers of malware strains that are being written in ‘exotic’ languages such as Go, Rust, Nim, and DLang, according to researchers with Blackberry. Operators are even adopting these languages to rewrite existing malware families and create tools for new malware sets.

It has been found that these coding languages typically thwart signature-based detection, while malware analysis tooling doesn’t always adequately support unconventional programming languages.

These languages themselves also serve as a layer of obfuscation, because each of them is relatively new and has little in the way of supported analysis tooling. However, these four languages identified in the report are each fairly developed and have a strong community backing.

“Programs written using the same malicious techniques but in a new language are not usually detected at the same rate as those written in a more mature language,” the report concluded. “This is the latest trend in threat actors moving the line just outside of the range of security software in a way that might not trigger defenses in later stages of the original campaign.”

“Malicious binaries written in languages like D, Rust, Go, or Nim currently comprise a small percentage of the languages being used by bad actors in the world today, but it is imperative that the security community stay proactive in defending against the malicious use of emerging technologies and techniques.”

Each language has its own benefits and drawbacks in different scenarios, the researchers also explained. Nim, for example, can be compiled into several languages such as C, C++, and even JavaScript. DLang has many syntax improvements over C, as well as being fully interoperable with, and syntactically similar to, C.

Rust is known for having a very low overhead, and is efficient where performance is concerned, while Go is widely touted as C for the 21st century, according to the paper.

Related Resource

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Five essentials from your endpoint security partner - title against a background of blue circles - whitepaper from MalwarebytesDownload now

Although C-language malware is still the most widespread, malware operators, including major groups such as Fancy Bear and Cozy Bear, are using unconventional languages in their malware sets more often than other groups.

Often enough, entire C-language malware families don’t actually need to be rewritten from scratch, with these groups simply writing loaders, droppers, and wrappers in exotic languages instead. This means they can effectively embed their payloads in harder-to-detect shells that are newly written in order to avoid signature-based detection.

There is a litany of cases cited in the report where such groups have adopted elements written in obscure languages to disguise their attacks. In 2018, for example, Cozy Bear was seen targeting Windows and Linux machines with WellMess, a remote access trojan (RAT) written in Go and .NET.

Fancy Bear was also discovered in 2018 using a Go-based Trojan identified as a rewritten version of the original Zebrocy malware. The following year, the group was seen using a Nim downloader alongside the Go backdoor in the same campaign targeting embassies and ministries of foreign affairs in Eastern Europe and Central Asia.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Hired by machines: Exploring recruitment's machine-driven future
recruitment

Hired by machines: Exploring recruitment's machine-driven future

8 Jan 2022