Cyber attackers are using less common programming languages, such as Go, D, Nim and Rust, to evade detection or find network weak spots.
That’s according to BlackBerry researchers which found ‘exotic’ programming languages are being increasingly employed for malicious intent.
“Some malware groups have taken the opportunity to branch out and try new or exotic programming languages to address pain points in their development process, or to try to evade detection by the security community,” the BlackBerry Old Dogs New Tricks report said.
Researchers noticed an escalation in the number of malware families being identified and published that use these rarer languages.
After investigating, the team found most of the notable malware has been written in Go, developed by Google in 2007 and now part of the C family with a more simplified syntax.
While this phenomenon isn’t new – and goes back to the use of Delphi and VB6 as a wrapper layer of malware to a rewrite of the now-infamous BazarLoader (named NimzaLoader) in the Nim programming language – the research team warns that history is repeating itself.
Organisations must stay on top of this emerging situation and avoid a repeat of the PowerShell experience that saw fileless malware attacks through the Windows tool.
These types of attacks can go undetected by antivirus software because there’s no signature to find, and they use trusted native programs.
“There’s a chance to be proactive on this before it becomes a giant problem.
“It took at least seven years to get a handle on PowerShell and we don’t want that to happen again,” a spokesperson for the BlackBerry Research and Intelligence Team told Information Age.
Security researchers and analysts need to start improving detection methodologies and updating security tools.
“The use of these languages is going to mean challenges, and while security products play catch up, organisations must consider whether they have the skills internally to understand the threats they are facing with this new technology,” the spokesperson said.
The challenge in reverse-engineering such attacks
Why are these languages being used in attacks?
Timeline of prominent Go, Rust, D and Nim malware. Photo: Blackberry
BlackBerry said malware developers are mirroring what’s happening in the legitimate developer world, with the emergence of a growing number of new and exotic programming languages.
“By adapting to take advantage of newer technologies, threat actors are pivoting to our blind spots,” the spokesperson said.
The research is intended to give some exposure to these languages and shed light on the current threats that are leveraging them.
“The trend of using new programming languages by threat actors is not new, however threats exploiting new coding languages continue to emerge.”
However, one of the challenges in overcoming these vulnerabilities is that certain languages, like VB6, can actually hamper reverse engineering efforts because malware analysis tooling does not always adequately support exotic programming languages.
“This failing can make analysis efforts a more tedious experience because the analyst must sift through unlabelled library code and rabbit-hole subroutines,” the BlackBerry report states.
Signature-based detection of malware depends on specific static characteristics being present within a file, which don't change and don’t require the file to be executed for it to be visualised.
When malware is authored in a new language, such as BazarLoader being rewritten in Nim, the signatures written to detect the previous iteration will more than likely not match. New signatures will then have to be created to detect these variants, and this must be done either manually using human malware researchers or by using artificial intelligence (AI).
“Detection methodologies don’t exist for threats using some of these coding languages, so protective solutions may fail to mitigate them at a very high rate. This means the threat actors will have a higher success rate with these new pieces of malware,” the spokesperson told Information Age.