Technological advancements are one of the robust factors in the modern era. The latest technologies have improved efficiency, altered the status of society, and revolutionized living standards. However, they can also be misused by malicious actors with bad intentions or turned against the purpose of their creation. Bad actors have a reputation of being slow to change that works for them, but it’s not always the case. However, some malware groups have taken the advantage to try uncommon programming languages for malware development.
Programming languages for malware development, such as DLang, Nim, Rust, and Go, are becoming famous among malware authors to bypass security defenses and address the weak points in their development process, BlackBerry researchers report. The research team selected these four programming languages because they have noticed an increase in their use for malicious intent and an increased number of malware families using them. Now the question arises why there is an escalation in the number of malware families being detected using these uncommon programming languages for malware development? Let’s find the answer.
Why Do Malware Authors Use Uncommon Programming Languages To Develop Malware?
New languages are generally adopted to overcome a deficiency in an existing language. Their creators aim to make simple syntax, efficient memory management, and boost performance. Now, let’s find the reasons why malware authors use uncommon programming languages for malware development. Here are some of them.
- The Old Gaurd_ VB6 and Delphi have forged the path on which newer languages now walk.
- Malware analysis tooling for uncommon programming languages
- Thwarting signature-based detection_ The signature-based detection depends on specific static characteristics within a file. When malware is written in a new language, there is a need to create new signatures to detect different variants. It is either done manually or through artificial intelligence (AI).
- Additional layers of obfuscation_ The language itself can act as an obfuscation layer in the case of most uncommon programming languages. For example, additional methods for obfuscation include denim for Nim, garble for Go, and obfstr for Rust. The DLang-specific obfuscation method is not yet observed.
- Malware and software engineering_ Threat actors are conscious of using secure languages because they do not want to put themselves at risk. Additionally, these languages help to demonstrate that a development team, a company, or an individual is using the most efficient, modern, and most productive ways of development.
- Cross-compilation_ It provides hackers the opportunity to author the same malware variant in a language and cross-compiled it to target different operating systems and architectures.
- Security software detection_ The evolving threat landscape with the malware proliferation written in the languages that were once considered the niche. It means that developers and security software vendors must stay ahead of the risks associated with new threats that are unable to mitigate and detect.
Four Uncommon Programming Languages For Malware Development Are:
Walter Bright at Digital Mars created Dlang, which is a multi-paradigm system programming language released in 2001. Development on this language by Andrei Alexandrescu continued until the first stable release in 2007. According to a developer’s website note, “the general look of Dlang is like C and C++, which makes it easier to learn and transition code to D. Porting code to D from C/C++ should feel natural. The developers will not have to learn entire new methods of doing things”.
This language aims to offer developers ways to author code efficiently and quickly. It is useful for applications, such as machine learning (ML), web development, data analytics, GUI application, kernel development, and AAA video game development. Moreover, it can be used on different operating systems, including macOS, Linux, Windows, and even Android with several compiler support.
Dlang has several qualities that make it appealing to malware authors.
- It can be cross-compiled to target architectures and operating systems.
- It includes various paradigm support, such as structures, object-oriented, and functional.
- It is suitable for building lightweight and standalone utilities.
- It is suitable for the development of different applications and project types.
- It has an easy learning curve.
- It gets inspiration from C and C++.
Examples Of Malware Written In Dlang
The fact that Dlang can be cross-compiled and the ease of use for C programmers makes it an ideal language to be used by the threat actors. Here are some examples of malware written in this language.
It was the first utility developed by FireEye to use in its red-teaming services. The DShell existence was unveiled unwittingly to the public after a data breach. An unnamed APT threat actor penetrated its network in December 2020. DShell is a Dlang-compiled red-team tool that operates like a backdoor. It is capable of modifying firewall rules, connecting to a command and control channel, and containing an encoded payload.
The Vovalex ransomware first made an appearance in February 2021. It uses Trojanized versions of commonly used applications like CCleaner as an infection vector. This Trojan executes on an installer sub-process giving the user an impression that everything is going as expected. Vovalex is a relatively unsophisticated variant of ransomware by today’s standards.
The first mention of this ransomware was in July 2020. OutCrypt leverages an unknown infection vector, and it is not linked to any known attacks yet. The malware starts searching through directories for file encryption upon execution. Infection by this ransomware leaves users’ files unrecoverable. It could be considered a destructor.
It’s a notable programming language that is becoming progressively common due to various features making it stand out from other options. Nim is statically compiled like more mature languages, such as Java, C, and C++. Andreas Rumpf started the development in 2005 under “Nimrod”. Version 0.6.0 was published in 2008. It was the first release where the compiler was written and compiled in Nim despite being developed in pascal.
Nim was designed by keeping these three goals in mind.Efficiency
- Nim created dependency-free, native executables.
- The generated executables and Nim compiler support all the major platforms, such as Linux, Windows, macOS, and BSD.
- Modern concepts such as compile-time evaluation and zero-overhead iterators of user-defined functions combined with the value-based datatype preferences allocated on the stack lead to the extremely performant code.
- Nim’s memory management is customizable and deterministic with move semantics destructors.
- Nim has a powerful macro system allowing direct manipulation of AST, providing unlimited opportunities.
- It is self-contained, the standard library and compiler are implemented in Nim.
- Modern type system with tuples, local type interface, generics and sum types.
- The syntax is flexible enough. Macros can’t change Nim’s syntax as there is no need for it.
- Statements can span multiple lines but are grouped by indentation.
Examples Of Malware Written In Nim
Threat actor TA800 distributed a new malware in a phishing campaign in February 2021. The samples were written in Nim and inspired the name NimzaLoader. It is generally distributed via phishing emails. In the Past, TA800 has been found using BazarLoader or Trickbot in its attacks.
It’s a malware family first seen in 2015. Zebrocy is generally distributed as an email attachment targeting the foreign affairs ministry and embassies in Central Asia and Eastern Europe. Over the years, it has been rewritten in different programming languages. However, the first Nim downloader for it appeared in 2019.
- DeroHE ransomware
The IObit forums were used to distribute DeroHE ransomware in January 2021. Emails with offers were sent to several forum users for a one-year free subscription for IObit products.
- Cobalt Strike
It has become a famous tool among adversaries for command and control channels. Detecting and stopping various loaders used to download the Cobalt Strike beacons is something that many endpoint protection solutions have become good at. Various loaders written in Nim were found to counter the effectiveness of these products.
Graydon Hoare started the Rust programming language project in 2006 as a side work at Mozilla Research. This language has become an independent organization from Mozilla since 2015. However, it has been used in major applications, such as Mozilla’s Firefox web browser. Other organizations, such as Google, Facebook, Amazon Web Services (AWS), act as a steward for the project.
Despite being a new programming language, Rust is favorite among developers. It combines the power of low-level control with memory efficiency and speed. Garbage collection is centered around automatic memory management in languages like Python and Java. Rust also gives a notable improvement in memory safety over C and C++.
- Performance_ Rust is memory efficient and blazingly fast, with no garbage collector. It can optimize performance-critical services, executes on embedded devices, and integrate easily with other languages.
- Productivity_ Rust has a friendly compiler, great documentation, and top-notch tooling. It has an integrated package manager, type inspections, and smart multi-editor support with auto-completion.
- Reliability_ Rust’s ownership model and rich type system guarantee thread and memory safety. It lets you eliminate bugs at compile time.
Examples Of Malware Written In Rust
- Convuster Adware
It’s Rust-based adware that has targeted macOS systems in 2021. The method of how this adware arrived on a system is unknown, but it may be downloaded using other adware despite the user.
RustyBeur is a malware loader written in C that was first distributed using phishing campaigns in 2019. This malware is sold in the underground marketplace to download Trojans or ransomware.
- Early Linux Backdoor
One of the Rust malware samples was found by the antivirus vendor Dr.Web in 2016. This Linux backdoor leveraging IRC was a proof of concept because the sample was not capable of spreading to other victims.
- TeleBots Downloader and Backdoor
TeleBots are considered to originate from a Russian threat actor. It has been associated with the attacks against Ukraine’s critical infrastructure. However, TeleBots is often seen using the KillDisk malware.
In 2007, Go was developed by Rob Pike, Robert Griesemer, and Ken Thompson. It was released in 2012 but made public in 2009. Google developed Go, and they sought to address the disconnect between the older languages and the computing landscape reality. Many others, including Uber, Twitch, Soundcloud, and Docker, have adopted it along the way. However, Go might not be the most loved language among developers, but it’s most wanted. The Go website defines its purpose as “making it easy to build, reliable, simple, and efficient software.”
- Simple_ Go has a more simplified syntax. However, it belongs to the C family. It means that Go is easy to learn and easier to read than their C equivalents.
- Efficient_ It builds on compilation efficiency and maintains the runtime efficiency of C. The reason is Goroutines, which are analogous to lightweight threads handled by Go runtime. Go also provides an API set for concurrency, abstracting the developers away from many pitfalls.
- Reliable_ Google said there is source-level compatibility for Go and a standard library across Go v1. Any code is written in Go v1. It needs to be re-compiled rather than rewritten for future versions.
Examples of malware written in Go
EKANS, also known as Snake, is an obfuscated malware written in Go. It is unique for having certain industrial control processes as its victims. It also differentiates itself as a rare instance where industrial operations are targeted by the actor motivated by the financial gain rather than a nation-state.
It’s a malware family generally associated with APT29. These implants are cross-compiled for ELF and PE supporting HTTPS, HTTP, and DNS communications. Once a connection is established, newer variants support PowerShell capabilities.
- Zebrocy in Go
The rewrite of Zebrocy in Go was seen in 2018. Moreover, a Zebrocy downloader executable developed in Go was discovered in October 2020.
- Early Go Dropper
Encriyoko, considered the first sample of the Go malware Trojan, was first reported in 2012 by Broadcom. It attempts to pose as an Android rooting tool called GalaxyNxRoot.exe. This file is ransomware that uses the Blowfish algorithm to encrypt targets’ files.
Older malware written in common languages like C, C++, and C# is being given new life with loaders and droppers written in the uncommon programming languages for malware development mentioned in this article. However, wrappers and loaders are cost-effective. Some well-resourced threat actors are starting to rewrite existing malware using these exotic languages. There might be a less obvious reason for generating these rewrites. It is easier to recreate an existing solution while learning a new programming language. Developers only need to concentrate on the language rather than battling the steeper learning curve for creating a new solution.
Thanks for reading this post. Please read more such interesting articles here: