IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers turning to 'exotic' languages for next-gen malware, report warns

Coding languages such as Go, Rust, Nim and DLang are allowing malware authors to avoid signature detection and add layers of obfuscation

Hackers are increasingly turning to relatively obscure programming languages when coding malware in a bid to avoid detection and pose greater challenges for the cyber security industry.

Security professionals are coming across greater numbers of malware strains that are being written in ‘exotic’ languages such as Go, Rust, Nim, and DLang, according to researchers with Blackberry. Operators are even adopting these languages to rewrite existing malware families and create tools for new malware sets.

It has been found that these coding languages typically thwart signature-based detection, while malware analysis tooling doesn’t always adequately support unconventional programming languages.

These languages themselves also serve as a layer of obfuscation, because each of them is relatively new and has little in the way of supported analysis tooling. However, these four languages identified in the report are each fairly developed and have a strong community backing.

“Programs written using the same malicious techniques but in a new language are not usually detected at the same rate as those written in a more mature language,” the report concluded. “This is the latest trend in threat actors moving the line just outside of the range of security software in a way that might not trigger defenses in later stages of the original campaign.”

“Malicious binaries written in languages like D, Rust, Go, or Nim currently comprise a small percentage of the languages being used by bad actors in the world today, but it is imperative that the security community stay proactive in defending against the malicious use of emerging technologies and techniques.”

Each language has its own benefits and drawbacks in different scenarios, the researchers also explained. Nim, for example, can be compiled into several languages such as C, C++, and even JavaScript. DLang has many syntax improvements over C, as well as being fully interoperable with, and syntactically similar to, C.

Rust is known for having a very low overhead, and is efficient where performance is concerned, while Go is widely touted as C for the 21st century, according to the paper.

Related Resource

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Five essentials from your endpoint security partner - title against a background of blue circles - whitepaper from MalwarebytesDownload now

Although C-language malware is still the most widespread, malware operators, including major groups such as Fancy Bear and Cozy Bear, are using unconventional languages in their malware sets more often than other groups.

Often enough, entire C-language malware families don’t actually need to be rewritten from scratch, with these groups simply writing loaders, droppers, and wrappers in exotic languages instead. This means they can effectively embed their payloads in harder-to-detect shells that are newly written in order to avoid signature-based detection.

There is a litany of cases cited in the report where such groups have adopted elements written in obscure languages to disguise their attacks. In 2018, for example, Cozy Bear was seen targeting Windows and Linux machines with WellMess, a remote access trojan (RAT) written in Go and .NET.

Fancy Bear was also discovered in 2018 using a Go-based Trojan identified as a rewritten version of the original Zebrocy malware. The following year, the group was seen using a Nim downloader alongside the Go backdoor in the same campaign targeting embassies and ministries of foreign affairs in Eastern Europe and Central Asia.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022