Malware developers are increasingly using “exotic” programming languages such as Go, Rust, DLang and Nim to create malicious code that can evade security detection by tools and add a layer of attack concealment, according to a report released by BlackBerry.
The company’s researchers have found that malware developers are creating a new range of loaders and droppers (malicious programs designed to introduce other malware onto devices) using these four languages to provide or disguise remote access Trojans (trojans), or RATs (Remote Access Trojan) as well as malicious versions of legitimate tools such as Cobalt Strike for potential victims, the report says.
Also according to the document, in many cases, threat operators are resorting to these languages to evade detection and hide an attack. “Each of these languages is relatively new and has few fully supported analysis tools,” the BlackBerry researchers note.
The report also notes that older malware written in traditional languages like C++ and C# is gaining ground with droppers and loaders written in exotic languages. Typically, older malware is stored encrypted in the first stage, using XOR, RC4, AES or other encryption and encryption methods.
Instead of rewriting or recompiling older but still effective malware, attackers are now “wrapping” this malicious code in a dropper or loader written in one of the newer languages, which can then infiltrate the malware into vulnerable devices or networks, avoiding detection by various security tools systems, note the BlackBerry researchers.
The report notes that while attacks are increasingly adopting languages like Rust and DLang, most of the malicious tools the researchers examined were written in Go, the open source language originally developed by Google and officially released to developers in 2012.
Malware developed with Go includes ElectroRAT, a RAT designed to steal cryptocurrencies from digital wallets, and Ekans, or Snake, a type of ransomware that can attack IT networks as well as industrial control systems, according to researchers.
Some groups are using newer programming languages as part of an effort to better hide their attacks. For example, a threat group known as TA800 used the Nim language to create a loader called NimzaLoader, which is typically delivered to victims in a phishing email that contains a malicious attachment, the report notes. Once installed, NimzaLoader connects to a command and control server and attempts to deliver secondary malware such as Cobalt Strike.