Sunday, September 26, 2021

Watch for malware using uncommon programming languages, says BlackBerry

Security teams shouldn’t count on threat actors mainly using traditional languages such as C, C++, and C# as they have for years, warns a new report from BlackBerry. Malware authors are increasingly using new and uncommon programming languages to evade detection and hinder analysis, it says.

“Malicious binaries written in languages like D, Rust, Go or Nim currently comprise a small percentage of the languages being used by bad actors in the world today,” says the report. “However, it is imperative that the security community stay proactive in defending against the malicious use of emerging technologies and techniques.”

Programs written in a new language but using the same malicious techniques are not usually detected at the same rate as those written in a more common language, the report notes.

Related content:

Ransomware group using remote access trojan written in Go

Threat actors such as the Russia-based APT28 (also called Fancy Bear) and APT29 (also Russia-based, and dubbed Cozy Bear) have been using these unconventional programming languages in their malware sets to avoid detection more often than other groups, says the report’s author. Catching malware written in these languages requires different strategies. There is a greater chance of detecting multi-language malware families with dynamic or behavioral signatures, which tag behavior via sandbox output, or by EDR (endpoint-detection and remediation) software or log data than with the static signatures built for existing malware families, the report says.

BlackBerry’s research and intelligence team has been seeing a growing number of loaders and droppers written in these and other uncommon languages to help threat actors evade detection on the endpoint.. These new first-stage pieces of malware are designed to decode, load, and deploy commodity malware such as the Remcos and NanoCore Remote Access Trojans (RATs), as well as Cobalt Strike, a legitimate security tool increasingly misused by threat actors.

In many cases the loaders, droppers and wrappers seen by BlackBerry simply alter the first stage of the infection process rather than change the core components of the campaign. “This is the latest in threat actors moving the line just outside of the range of security software in a way that might not trigger on later stages of the original campaign,” say researchers.

Based on BlackBerry’s research and current trends, it appears that Go has matured to where it is now one of the “Go-to” languages for threat actors. This is both at the APT (advanced persistent threat) and commodity level for the development of malware variants. This assumption, the report says, is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, in malware of all types, and targeting all major operating systems across multiple campaigns.

Researchers have seen a large increase in the use of initial stagers for Cobalt Strike being compiled using Go, and more recently in Nim. These initial stagers are the binaries used to facilitate first-stage, initial access by reaching out to download the Cobalt Strike beacon from a TeamServer. This server is responsible for serving the beacons themselves.

“It is important that defenders stay ahead of the curve in catching Cobalt Strike-related files written in these languages, to enhance defensive capability against such a formidable threat,” says the report.

The full report is available here. Registration required.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News