Hackers turning to 'exotic' languages for next-gen malware, report warns

Hackers are increasingly turning to relatively obscure programming languages when coding malware in a bid to avoid detection and pose greater challenges for the cyber security industry.

Security professionals are coming across greater numbers of malware strains that are being written in ‘exotic’ languages such as Go, Rust, Nim, and DLang, according to researchers with Blackberry. Operators are even adopting these languages to rewrite existing malware families and create tools for new malware sets.

It has been found that these coding languages typically thwart signature-based detection, while malware analysis tooling doesn’t always adequately support unconventional programming languages.

These languages themselves also serve as a layer of obfuscation, because each of them is relatively new and has little in the way of supported analysis tooling. However, these four languages identified in the report are each fairly developed and have a strong community backing.

“Programs written using the same malicious techniques but in a new language are not usually detected at the same rate as those written in a more mature language,” the report concluded. “This is the latest trend in threat actors moving the line just outside of the range of security software in a way that might not trigger defenses in later stages of the original campaign.”

“Malicious binaries written in languages like D, Rust, Go, or Nim currently comprise a small percentage of the languages being used by bad actors in the world today, but it is imperative that the security community stay proactive in defending against the malicious use of emerging technologies and techniques.”

Each language has its own benefits and drawbacks in different scenarios, the researchers also explained. Nim, for example, can be compiled into several languages such as C, C++, and even JavaScript. DLang has many syntax improvements over C, as well as being fully interoperable with, and syntactically similar to, C.

Rust is known for having a very low overhead, and is efficient where performance is concerned, while Go is widely touted as C for the 21st century, according to the paper.

Although C-language malware is still the most widespread, malware operators, including major groups such as Fancy Bear and Cozy Bear, are using unconventional languages in their malware sets more often than other groups.

Often enough, entire C-language malware families don’t actually need to be rewritten from scratch, with these groups simply writing loaders, droppers, and wrappers in exotic languages instead. This means they can effectively embed their payloads in harder-to-detect shells that are newly written in order to avoid signature-based detection.

There is a litany of cases cited in the report where such groups have adopted elements written in obscure languages to disguise their attacks. In 2018, for example, Cozy Bear was seen targeting Windows and Linux machines with WellMess, a remote access trojan (RAT) written in Go and .NET.

Fancy Bear was also discovered in 2018 using a Go-based Trojan identified as a rewritten version of the original Zebrocy malware. The following year, the group was seen using a Nim downloader alongside the Go backdoor in the same campaign targeting embassies and ministries of foreign affairs in Eastern Europe and Central Asia.