Security teams shouldn’t count on threat actors mainly using traditional languages such as C, C++, and C# as they have for years, warns a new report from BlackBerry. Malware authors are increasingly using new and uncommon programming languages to evade detection and hinder analysis, it says.
“Malicious binaries written in languages like D, Rust, Go or Nim currently comprise a small percentage of the languages being used by bad actors in the world today,” says the report. “However, it is imperative that the security community stay proactive in defending against the malicious use of emerging technologies and techniques.”
Programs written in a new language but using the same malicious techniques are not usually detected at the same rate as those written in a more common language, the report notes.
Threat actors such as the Russia-based APT28 (also called Fancy Bear) and APT29 (also Russia-based, and dubbed Cozy Bear) have been using these unconventional programming languages in their malware sets to avoid detection more often than other groups, says the report’s author. Catching malware written in these languages requires different strategies. There is a greater chance of detecting multi-language malware families with dynamic or behavioral signatures, which tag behavior via sandbox output, or by EDR (endpoint-detection and remediation) software or log data than with the static signatures built for existing malware families, the report says.
BlackBerry’s research and intelligence team has been seeing a growing number of loaders and droppers written in these and other uncommon languages to help threat actors evade detection on the endpoint.. These new first-stage pieces of malware are designed to decode, load, and deploy commodity malware such as the Remcos and NanoCore Remote Access Trojans (RATs), as well as Cobalt Strike, a legitimate security tool increasingly misused by threat actors.
In many cases the loaders, droppers and wrappers seen by BlackBerry simply alter the first stage of the infection process rather than change the core components of the campaign. “This is the latest in threat actors moving the line just outside of the range of security software in a way that might not trigger on later stages of the original campaign,” say researchers.
Based on BlackBerry’s research and current trends, it appears that Go has matured to where it is now one of the “Go-to” languages for threat actors. This is both at the APT (advanced persistent threat) and commodity level for the development of malware variants. This assumption, the report says, is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, in malware of all types, and targeting all major operating systems across multiple campaigns.
Researchers have seen a large increase in the use of initial stagers for Cobalt Strike being compiled using Go, and more recently in Nim. These initial stagers are the binaries used to facilitate first-stage, initial access by reaching out to download the Cobalt Strike beacon from a TeamServer. This server is responsible for serving the beacons themselves.
“It is important that defenders stay ahead of the curve in catching Cobalt Strike-related files written in these languages, to enhance defensive capability against such a formidable threat,” says the report.
The full report is available here. Registration required.