Malware authors, increasingly using obscure programming languages

by | July 28, 2021 | Cybersecurity News

Malware makers are using more often rarely spotted programming languages such as Rust, Go, Nim and DLang, to create new tools and to evade detection, found the researchers. According to a report published by BlackBerry Research and Intelligence Team, the use of those four languages is escalating in the number of malware families being detected:

“These uncommon programming languages are no longer as rarely used as once thought. However, threat actors have begun to adopt them to rewrite known malware families or create tools for new malware sets.”

BlackBerry Research and Intelligence Team

Basically, researchers are following more loaders and droppers being written in less common languages, according to the report. “These new first-stage pieces of malware are designed to decode, load, and deploy commodity malware such as the Remcos and NanoCore Remote Access Trojans (RATs), as well as Cobalt Strike. They have been commonly used to help threat actors evade detection on the endpoint.”

However, using the legitimate Cobalt Strike security tool has exploded, given that its usage in cyberattacks is up to 161% year after year, having gone fully mainstream in the cybercrimes world.

Downside of innovation for malware makers

Malware authors may be known for slowly giving up any work. Still, they are happy to adopt a new programming language for the same reason as their law-abiding counterparts: it helps eliminate pain points in the development cycle, for one. In addition, from the perspective of malware authors, the new language puts their creation one step ahead of protection tools or two or three steps. Eric Milam, vice president of threat research, stated in the report that:

“Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies. Unfortunately, this has multiple benefits from the development cycle and inherent lack of coverage from protective solutions.”

“Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies. Unfortunately, this has multiple benefits from the development cycle and inherent lack of coverage from protective solutions.”

Likewise, just like non-malware programmers, malware makers need to protect themselves from exploitation. As an example of what they’re strengthening their defenses to avoid, BlackBerry mentioned “EmoCrash.”

Roughly a year ago, security researcher James Quinn disclosed that he had developed a kill switch (called EmoCrash) which took advantage of a buffer overflow in the installation routine of the main binary file in the notorious Emotet info stealer, causing it to crash and prevent it from infecting systems for six months. In fact, he has already prepared an Emotet vaccine.

APT28’s and APT29’s growing GO language fluency

When relating to these more unknown languages, malware developers have traditionally written primarily in Go: a general-purpose language similar to C++ in that it’s statically typed and compiled. In fact, its compiler was initially written in C, although it’s now also written in Go.

Researchers said that C-language malware is still the most widespread. However, two threat actors from Russia, APT28 and APT29, have started to use the more exotic languages in malware sets more often than other gangs. APT28 is known as Fancy Bear or Strontium, while APT29 is aka Nobelium, Cozy Bear, or the Dukes.

Researchers from BlackBerry said that Go is now “one of the ‘Go-to’ languages for threat actors.” They are making up versions, both at advanced persistent threat (APT) and commodity level.

New Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns,” stated the researchers.

APT28 and APT29 are some good examples. APT28, nefarious for interfering in the presidential election from 2016 through the infiltration of the Democratic National Committee, is related to a wide range of attacks and malware families, particularly the Zebrocy malware family that “notably uses multiple uncommon programming languages within its kill chain,” says the report.

Zebrocy or Sednit/APT28, Fancy Bear, and Strontium are used by the hacker group Sofacy, operating as a downloader and collecting data about infected hosts. As researchers said, when Zebrocy samples were first seen in 2015, they contained three parts:

  • Delphi downloader
  • AutoIT downloader
  • Delphi backdoor

Regardless of which language Zebrocy is written in, it spreads through phishing campaigns that contain an initial trojan that tried to communicate with a C2 (command-and-control) servers that execute a downloader to drop a malicious payload via a settled backdoor. Although it has been rewritten multiple times, “the delivery method via email attachment and general functionality remains largely the same,” researchers explained.

In the following, we’ll see a series of Go rewrites used by APT28:

  • 2018: A Go-based trojan linked to APT28 was found as a Zebrocy version with a rewritten variant of the original Delphi downloader.
  • 2019: Researchers found out a Nim downloader together with the Go backdoor in the same Zebrocy campaign targeting embassies and ministries of foreign affairs in Central Asia and Eastern Europe.
  • 2020 and previous years: APT28 started to like Go more and more, using other rewritten, essential Zebrocy components: the backdoor payload and downloader. Most recently, APT28 used the COVID-19 pandemic as a bait to deliver the Go downloader version in December.

As for the other group, APT29 or Cozy Bear, notorious for its “contribution” in the SolarWinds supply-chain attacks of early 2020, targeted Windows and Linux devices in 2018 with a remote access trojan (RAT) called wellness, written in Go and. NET.

The researchers pointed out that the most prevalent version of WellMess in the Go version, that comes in both 32-bit and 64-bit variants as PE and ELF files, “giving APT29 the ability to deploy it to more than one type of architecture and OS.”

APT29 usually infiltrates a victim’s network by first scanning an organization’s external IP address for vulnerabilities and throwing public exploits against weak systems. The group is increasingly using Go variants, including the more sophisticated WellMess variants in 2020, to steal COVID-19 vaccine research from academic and pharmaceutical research institutions in countries around the world, including the United States, the United Kingdom, and Canada. The researchers pointed out that the newer version, while written in Go, has become more complex. For example, APT29 added more network communication protocols and the ability to run PowerShell scripts after infection.

Blackberry researchers stated that:

“Both threat actors are still active and have conducted some of the most impactful Russian cyberattacks to date. Recent activity suggests that these groups have been using the uncommon programming languages mentioned in this paper to add complexity to their malware, target multiple platforms, and evade detection.”

Timeline of the obscure programming languages

source: threatpost.com

Besides Go, other less known languages have increasingly been used in ever more malware families by additional threat actors over the past ten years. In the timeline provided by Blackberry, we can notice that DLang malware seems to be the least favorite language in the evolving threat landscape, but it has seen modest growth over 2020. This could mark a trend for more general DLang adoption by malware authors, predicted the report.

According to the report, there is nothing more humble about the big uptick in using initial stagers for Cobalt Strike being compiled using Go, and more recently, in Nim. The initial stages are being the binary used to speed the first stage, initial access by reaching out to download the Cobalt Strike beacon from a TeamServer:

“This server is responsible for serving the beacons themselves. “It is important that defenders stay ahead of the curve in catching Cobalt Strike-related files written in these languages to enhance defensive capability against such a formidable threat.”

“This server is responsible for serving the beacons themselves. “It is important that defenders stay ahead of the curve in catching Cobalt Strike-related files written in these languages to enhance defensive capability against such a formidable threat.”

Why using less common languages?

Blackberry’s team pointed out several reasons why using less known languages helps attackers do their “nasty” actions:

1. Making up for deficits in existing languages

  • malware developers could be after a number of things they’re lacking in other languages, may be a simpler syntax, performance boosts or more efficient memory management. In addition, a new language might be the right tool for a given, targeted environment. As an example, the report noted that IoT (internet of things) devices use lower-level languages such as C or assembly.

2. Eliminating reverse engineering

  • not all malware analysis tools support fancy programming languages. Researchers from BlackBerry explained that: “Binaries written in Go, Rust, Nim, and DLang can appear more complex, convoluted, and tedious when disassembled, compared to their traditional C/C++/C# based counterparts”.

3. Messing with signature-based detection

  • for spotting a signature, that signature has to be the same. One example of static characteristic is hashes. It requires each byte to be identical, whether it’s a hash of the whole file, or a hash of a certificate and so on. New language versions that pluck these previously static characteristics will mostly fail to be spotted. For example, we can say about BazarLoader, which was written in Nim.
  • “Signatures for existing malware families that are based off static properties have little success in tagging the same malware once rewritten in these more obscure languages. In situations such as Buer and RustyBuer (as well as BazarLoader and NimzaLoader), new rules usually must be created to tag these tangentially related variants,” the researchers explained.

4. Slathering on obfuscation

  • when it comes to fancy languages, the language itself can act as a obfuscation, given that it’s relatively new. Researchers said that: “The languages themselves can have a similar effect to traditional obfuscation and can be used to attempt to bypass conventional security measures and hinder analysis efforts.”

5. Cross-compilation more efficiently targets Windows and Macs

  • a malware maker can develop one piece of malware version and cross-compile it to target multiple architectures and operating systems used in most companies. Malware developers need lees tools to target networks and can cast a wider net with less work.

6. Teaching an old dog new tricks

  • according to the article, malware developers are using droppers and loaders written in foreign languages ​​to enhance old malware written in traditional languages ​​such as C++ and C#.
  • again, this saves a lot of work because the author can skip the laborious process of recoding the malware and instead can simply wrap it in a new dropper or loader’s rewritten delivery method.

Final thoughts

Software engineers and threat researchers will have a higher chance of catching these multi-language malware families if they use dynamic or behavioral signatures, signatures that tag behavior via sandbox output, endpoint detection and response (EDR), or log data, according to Blackberry.

Researchers say that using implementation-agnostic detection rules to tag dynamic behaviors can help if static signatures fail because malware often behaves the same way, even when it’s recorded. The report concluded that:

“In other circumstances such as shellcode loaders, which often inject into processes using a limited subset of Windows API calls, they can be identified using that limited subset.”

It will take a while for malware sample analysis tools to keep up with these new languages. Still, it’s “imperative” for the security community to “stay proactive in defending against the malicious use of emerging technologies and techniques,” says Blackberry!

Blackberry’s Milam advised that it is vital that the industry and customers recognize and monitor these trends, as they will only continue to grow.

Sources:

Attribution:

Photo by Fotis Fotopoulos on Unsplash

by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.