The Rise of Unconventional Programming Languages in Malware Development

In recent years, cybercriminals have increasingly turned to unconventional programming languages like Go, Rust, Nim, and Dlang to develop malware. This strategic shift is aimed at bypassing traditional security measures, complicating analysis, and making reverse engineering more challenging.

Eric Milam, Vice President of threat research at BlackBerry, highlights that malware developers are adept at evolving their tactics to exploit new technologies. This approach offers multiple advantages, including a streamlined development process and the ability to exploit gaps in existing security solutions.

While languages such as Rust are designed to enhance security through features like memory safety, these same attributes can be manipulated by malware creators. This misuse makes malware more resistant to exploitation and complicates efforts to neutralize threats through kill-switch mechanisms.

Researchers have noted that malware binaries crafted in these newer languages tend to be more intricate and challenging to dissect. This complexity adds layers of obfuscation, as these languages are relatively novel. Consequently, older malware originally developed in languages like C++ and C# is being re-engineered with droppers and loaders in these less common languages to evade detection by endpoint security systems.

Rise of Novel Malware

Earlier this year, Proofpoint, a cybersecurity firm, identified new malware strains written in Nim (NimzaLoader) and Rust (RustyBuer). These were actively used in campaigns to deploy Cobalt Strike and ransomware through social engineering tactics. Similarly, CrowdStrike recently detected a ransomware variant that incorporated elements from previous HelloKitty and FiveHands versions, utilizing a Golang packer to encrypt its primary C++ payload.

According to a report by Israeli cybersecurity company Intezer, malware written in Go has surged by nearly 2,000% since 2017. This increase is attributed to both state-sponsored and independent threat actors integrating the language into their arsenal.

Embracing Uncommon Languages

BlackBerry's latest research indicates a growing trend among cybercriminals to adopt Dlang, Go, Nim, and Rust for rewriting existing malware families or developing new tools over the past decade:

• Dlang - DShell, Vovalex, OutCrypt, RemcosRAT
• Go - ElectroRAT, EKANS (also known as Snake), Zebrocy, WellMess, ChaChi
• Nim - NimzaLoader, Zebrocy, DeroHE, Nim-based Cobalt Strike loaders
• Rust - Convuster Adware, RustyBuer, TeleBots Downloader and Backdoor, NanoCore Dropper, PyOxidizer

BlackBerry researchers conclude that malware written in these newer languages is often not detected as effectively as those in more established languages. The initial stages of infection, such as loaders and droppers, are frequently modified without altering the core components of the malware campaign. This tactic allows threat actors to stay just beyond the reach of security software, avoiding detection in the later stages of their operations.