Hackers Using Obscure Programming Languages to Evade Detection
Table of Contents
- By Dawna M. Roberts
- Aug 19, 2021
ZDNet reported this week that malware developers are turning to obscure or “exotic” programming languages to “hamper analysis efforts,” and evade detection.
What is Going On?
Researchers at Blackberry issued a report on Monday claiming that hackers are increasingly resorting to languages like Go (Golang), D (DLang), Nim, and Rust to evade detection and analysis by threat assessors.
ZDNet expands on this “In particular, malware developers are experimenting with loaders and droppers written in these languages, created to be suitable for first and further-stage malware deployment in an attack chain.”
The BlackBerry researchers also mention that these languages are used for droppers and loaders to avoid detection on the initial device. Then once the malware has avoided detection, it is deployed to load other types of malware, including Trojans.
According to the report, some examples are “Remote Access Trojans (RATs) Remcos and NanoCore. In addition, Cobalt Strike beacons are often deployed.”
Other gangs with sophisticated programming skills are completely rewriting their malware in these unusual languages, such as Buer, which was revised to become RustyBuer.
One of the most commonly used languages now is Go. ZDNet explains, “both advanced persistent threat (APT) state-sponsored groups and commodity malware developers are taking a serious interest in the programming language to upgrade their arsenals. In June, CrowdStrike said a new ransomware variant borrowed features from HelloKitty/DeathRansom and FiveHands but used a Go packer to encrypt its main payload.” Along with Go, DLang is also becoming very prominent in cybercriminal circles.
“By using new or more unusual programming languages, the researchers say they may hamper reverse-engineering efforts and avoid signature-based detection tools, as well as improve cross-compatibility over target systems. The codebase itself may also add a layer of concealment without any further effort from the malware developer simply because of the language in which it is written,” ZDNet commented.
VP of BlackBerry’s Threat Research, Eric Milam, says, “Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies. This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions. It is critical that industry and customers understand and keep tabs on these trends, as they are only going to increase.”
Ransomware an Ongoing Ever-Changing Threat
Ransomware has become such an enormous threat to individuals and businesses that governments are finally taking notice and enacting strict regulations against cybercriminals that include harsh punishments. Some administrations, like the U.S., are even considering penalizing the victim if they pay any ransom to the threat actors.
As these threats come and go, they continue to evolve, increasing the danger and making it much harder for threat researchers to identify, mitigate, and prevent attacks. So, where does that leave us now?
According to a Sophos Report for 2021, some key findings include:
- “37% of respondents’ organizations were hit by ransomware in the last year.
- 54% that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in the most significant attack.
- 96% of those whose data was encrypted got their data back in the most significant ransomware attack.
- The average ransom paid by mid-sized organizations was US$170,404.
- However, on average, only 65% of the encrypted data was restored after the ransom was paid.
- The average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, etc., was US$1.85 million.
- Extortion-style attacks where data was not encrypted, but the victim was still held to ransom have more than doubled since last year, up from 3% to 7%.
- Having trained IT staff who are able to stop attacks is the most common reason some organizations are confident they will not be hit by ransomware in the future.”