Uncommon programming languages — including Go, Rust, Nim, and DLang — are becoming favorites among malware authors seeking to bypass security defenses or address weak spots in their development process, BlackBerry researchers report.
The research team chose these four languages after noticing an increase in their use for malicious intent, as well as an increase in the number of malware families using them. Attackers using new programming languages is not new; however, researchers note these languages are becoming more developed and anticipate an uptick in their use as the trend continues.
There are several reasons why someone might adopt a new programming language: it may address a weakness in an existing language or give developers simpler syntax, more efficient memory management, or a performance boost. A new language may also be a better fit for its environment — for example, Internet of Things devices use lower-level languages, the researchers point out.
As attackers seek these benefits, it poses a challenge to defenders. Malware analysis tools don't always support lesser-known languages, and binaries written in Go, Rust, Nim, and DLang can appear more complex when dissembled compared with traditional languages such as C or C++. Analysts may be unfamiliar with newer languages, and there can be a learning curve to learning their intricacies.
Older malware written in more traditional languages, such as C++ and C#, is getting revamped with droppers and loaders written in comparatively uncommon languages, researchers note as a growing trend. The older malware will usually be stored in encrypted form within the first stage and use XOR, RC4, AES, or other methods of encryption and encoding, the report states.
Once it's decoded, the binary is dropped to disk or injected into a running process and loaded into memory, the researchers state, noting this is appealing to attackers because it saves them the trouble of recoding the malware. Instead, they can "wrap" old malware in one of these delivery methods.
Signature-based security tools may have caught the second stage of a dropper or loader using a well-known piece of malware, either when dropped to disk or loaded into memory; however, rewriting the malware in a different language gives it potential to bypass defenses because the existing signatures likely won't work.
BlackBerry notes that while some notable malware has been written in Go, Rush, Nim, and DLang, occurrences are rare and most of it has been written in Go. Each of these relatively uncommon languages bring benefits to the developer behind it.
As Attackers Shift Gears, Defenders Follow
As researchers point out, malware authors aren't the only ones adopting uncommon languages — in recent years, the security community has also adopted these languages for offensive use in implementation of red-team tools, many of which are open source or publicly available, researchers note.
The report points to last year's FireEye breach in which nation-state attackers stole red-team tools from the security firm. In response, FireEye released a statement and GitHub repository containing detection signatures to identify the stolen tools. Its repository revealed FireEye's red team had been using a combination of publicly available tools and tools built in-house, which were written in multiple different languages, including Go, DLang, and Rust, researchers report.
Go, for example, is the youngest on BlackBerry's list but has been broadly adopted by red teams — many offensive security tools have been rewritten or purpose-built for Go. FireEye's red-team tools revealed it had created a multiplatform Go remote access Trojan (RAT). The language is also present in Sliver, the adversary emulation tool from Bishop Fox. Merlin, a popular C2 framework, is entirely written in Go for the purpose of being natively cross-platform.
Researchers note a "thumbs-up" from major security firms can indicate a programming language or technology is poised to go mainstream. They also point out that analysis tools and techniques usually are not developed by the security industry until there is "a certain level of saturation of malware being written in a new language."
Malware written in these lesser-known languages is usually not detected at the same rate as those written in more common and mature languages, researchers note. At this point, attackers are altering the first stage of the infection process and not the core of their campaigns, but it is important for security teams to discuss the risk of these lesser-known languages and how they could affect their defense.