IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers turning to 'exotic' languages for next-gen malware, report warns

Coding languages such as Go, Rust, Nim and DLang are allowing malware authors to avoid signature detection and add layers of obfuscation

Hackers are increasingly turning to relatively obscure programming languages when coding malware in a bid to avoid detection and pose greater challenges for the cyber security industry.

Security professionals are coming across greater numbers of malware strains that are being written in ‘exotic’ languages such as Go, Rust, Nim, and DLang, according to researchers with Blackberry. Operators are even adopting these languages to rewrite existing malware families and create tools for new malware sets.

It has been found that these coding languages typically thwart signature-based detection, while malware analysis tooling doesn’t always adequately support unconventional programming languages.

These languages themselves also serve as a layer of obfuscation, because each of them is relatively new and has little in the way of supported analysis tooling. However, these four languages identified in the report are each fairly developed and have a strong community backing.

“Programs written using the same malicious techniques but in a new language are not usually detected at the same rate as those written in a more mature language,” the report concluded. “This is the latest trend in threat actors moving the line just outside of the range of security software in a way that might not trigger defenses in later stages of the original campaign.”

“Malicious binaries written in languages like D, Rust, Go, or Nim currently comprise a small percentage of the languages being used by bad actors in the world today, but it is imperative that the security community stay proactive in defending against the malicious use of emerging technologies and techniques.”

Each language has its own benefits and drawbacks in different scenarios, the researchers also explained. Nim, for example, can be compiled into several languages such as C, C++, and even JavaScript. DLang has many syntax improvements over C, as well as being fully interoperable with, and syntactically similar to, C.

Rust is known for having a very low overhead, and is efficient where performance is concerned, while Go is widely touted as C for the 21st century, according to the paper.

Related Resource

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Five essentials from your endpoint security partner - title against a background of blue circles - whitepaper from MalwarebytesDownload now

Although C-language malware is still the most widespread, malware operators, including major groups such as Fancy Bear and Cozy Bear, are using unconventional languages in their malware sets more often than other groups.

Often enough, entire C-language malware families don’t actually need to be rewritten from scratch, with these groups simply writing loaders, droppers, and wrappers in exotic languages instead. This means they can effectively embed their payloads in harder-to-detect shells that are newly written in order to avoid signature-based detection.

There is a litany of cases cited in the report where such groups have adopted elements written in obscure languages to disguise their attacks. In 2018, for example, Cozy Bear was seen targeting Windows and Linux machines with WellMess, a remote access trojan (RAT) written in Go and .NET.

Fancy Bear was also discovered in 2018 using a Go-based Trojan identified as a rewritten version of the original Zebrocy malware. The following year, the group was seen using a Nim downloader alongside the Go backdoor in the same campaign targeting embassies and ministries of foreign affairs in Eastern Europe and Central Asia.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022