Jump to content
  • Hackers Turning to 'Exotic' Programming Languages for Malware Development

    aum

    • 563 views
    • 3 minutes
     Share


    • 563 views
    • 3 minutes

    Hackers Turning to 'Exotic' Programming Languages for Malware Development

     

    Threat actors are increasingly shifting to "exotic" programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts.

     

    "Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies," said Eric Milam, Vice President of threat research at BlackBerry. "That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products."

     

    On the one hand, languages like Rust are more secure as they offer guarantees like memory-safe programming, but they can also be a double-edged sword when malware engineers abuse the same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts to activate a kill-switch and render them powerless.

     

    Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems.

     

    Earlier this year, enterprise security firm Proofpoint discovered new malware written in Nim (NimzaLoader) and Rust (RustyBuer) that it said were being used in active campaigns to distribute and deploy Cobalt Strike and ransomware strains via social engineering campaigns. In a similar vein, CrowdStrike last month observed a ransomware sample that borrowed implementations from previous HelloKitty and FiveHands variants, while using a Golang packer to encrypt its main C++-based payload.

     

    Some of the prominent examples of malware written in these languages over the past decade are as follows -

     

    • Dlang - DShell, Vovalex, OutCrypt, RemcosRAT
    • Go - ElectroRAT, EKANS (aka Snake), Zebrocy, WellMess, ChaChi
    • Nim - NimzaLoader, Zebrocy, DeroHE, Nim-based Cobalt Strike loaders
    • Rust - Convuster Adware, RustyBuer, TeleBots Downloader and Backdoor, NanoCore Dropper, PyOxidizer

     

    "Programs written using the same malicious techniques but in a new language are not usually detected at the same rate as those written in a more mature language," BlackBerry researchers concluded.

     

    "The loaders, droppers and wrappers [...] are in many cases simply altering the first stage of the infection process rather than changing the core components of the campaign. This is the latest in threat actors moving the line just outside of the range of security software in a way that might not trigger on later stages of the original campaign."

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...