Sprechen Sie Rust? Polyglot malware authors are increasingly using obscure programming languages to evade detection.
Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and to hinder analysis, researchers have found.
Use of those four languages is escalating in the number of malware families being identified, according to a report published on Monday by BlackBerry Research and Intelligence Team. The team chose those four languages to examine, partly because they fit its detection methodologies, but also since the languages have strong community backing and could be considered more developed.
“These uncommon programming languages are no longer as rarely used as once thought,” according to the writeup. “Threat actors have begun to adopt them to rewrite known malware families or create tools for new malware sets.”
Specifically, researchers are tracking more loaders and droppers being written in rarer languages. “These new first-stage pieces of malware are designed to decode, load, and deploy commodity malware such as the Remcos and NanoCore Remote Access Trojans (RATs), as well as Cobalt Strike,” according to the report. “They have been commonly used to help threat actors evade detection on the endpoint.”
In fact, the use of the legitimate Cobalt Strike security tool has exploded: Its usage in cyberattacks is up 161 percent year-over-year, having gone fully mainstream in the crimeware world.
The Dark Side of Innovation
Malware makers might have a reputation for being slow to let go of whatever’s working, but they’re happy to pick up new programming languages for the same reasons as their law-abiding counterparts: It helps to rub out pain points in the development cycle, for one. Also, from the malware author’s perspective, new languages keep their creations a step – or two, or three – ahead of protection tools. “Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,” Eric Milam, vice president of threat research, wrote. “This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions.”
Also, just like non-malware programmers, malware authors need to protect themselves from exploitation. Blackberry pointed to “EmoCrash” as an example of what they’re hardening their defenses to avoid: About a year ago, security researcher James Quinn revealed that he had developed a killswitch – dubbed EmoCrash – that exploited a buffer overflow within the installation routine of the main binary in the infamous Emotet infostealer, causing it to crash and preventing it from infecting systems for six months. In effect, he had concocted an Emotet vaccine.
Cases in Point: APT28’s & APT29’s Growing ‘Go’ Fluency
When it comes to these more obscure languages, malware developers have, historically, mostly written in Go: a general-purpose language that’s much like C++ in that it’s statically typed and compiled. In fact, its compiler was originally written in C, though it’s now also written in Go.
C-language malware is still the most widespread, the researchers said. But two Russia-based threat actors, APT28 and APT29, have begun to use the more exotic languages in malware sets more often than other groups. APT28 is aka Fancy Bear or Strontium, et al., while APT29 is aka Nobelium, Cozy Bear or the Dukes, et al.
Go is now “one of the ‘Go-to’ languages for threat actors” who are cooking up variants, Blackberry researchers said, both at the level of advanced persistent threat (APT) and commodity level. “New Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns,” they wrote.
APT28 and APT29 are good examples. APT28, infamous for its alleged meddling in the 2016 presidential election via infiltration of the Democratic National Committee, is linked to a wide range of attacks and malware families, but the Zebrocy malware family in particular “notably uses multiple uncommon programming languages within its kill chain,” according to the report.
Zebrocy, aka Sednit, APT28, Fancy Bear and Strontium and used by the threat group Sofacy, operates as a downloader and collects data about infected hosts.
As researchers explained, when Zebrocy samples were first seen in 2015, they had three parts: a Delphi downloader, an AutoIT downloader and a Delphi backdoor. Regardless of which language Zebrocy is written in, it spreads via phishing campaigns that contain an initial trojan that tries to communicate with a command-and-control (C2) server and which executes a downloader to drop a malicious payload via an established backdoor. It’s been rewritten multiple times, but “the method of delivery via email attachment and general functionality remains largely the same,” the report said.
A selection of Go rewrites used by APT28:
- 2018: A Go-based trojan linked to APT28 was identified as a Zebrocy variant with a rewritten version of the original Delphi downloader.
- 2019: Researchers discovered a Nim downloader alongside the Go backdoor in the same Zebrocy campaign targeting embassies and ministries of foreign affairs in Eastern Europe and Central Asia.
- 2020 & preceding years: APT28 grew increasingly fond of Go, using other rewritten, core Zebrocy components: the backdoor payload and downloader. Most recently, APT28 used the COVID-19 pandemic as a lure to deliver the Go downloader variant in December.
For its part, APT29/Cozy Bear, best known for its part in the SolarWinds supply-chain attacks of early 2020, was targeting Windows and Linux machines in 2018 with WellMess, a remote access trojan (RAT) written in Go and .NET.
The researchers noted that the most prevalent variant of WellMess is the Go version, which comes in both 32-bit and 64-bit variants as PE and ELF files, “giving APT29 the ability to deploy it to more than one type of architecture and OS.”
APT29 typically penetrates a victim’s network by first scanning an organization’s external IP addresses for vulnerabilities and then throwing public exploits against vulnerable systems
The group’s growing use of Go variants includes using more sophisticated WellMess variants in 2020 attempts to steal COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S., the U.K. and Canada. The researchers noted that the newer variant, while written in Go, has been made more complicated: APT29 has, for example, added more network communication protocols and the ability to run PowerShell scripts post-infection.
“Both threat actors are still active and have conducted some of the most impactful Russian cyberattacks to date,” Blackberry researchers asserted. “Recent activity suggests that these groups have been using the uncommon programming languages mentioned in this paper to add complexity to their malware, target multiple platforms, and evade detection.”
Beyond Go and its growing attraction to APT28 and APT29, other rare languages over the past decade have increasingly been used in ever more malware families by additional threat actors. Below is a timeline of how the four languages have increasingly cropped up, particularly the languages Rust, Nim, and D. Blackberry analysts noted that it’s not an exhaustive list of the malware families that have been developed in these languages.
Timeline of prominent examples of malware written in the languages of Go, Rust, Nim, and DLang. Source: Blackberry.
DLang malware appears to be the least favorite language in the evolving threat landscape, but it has seen some modest growth over the last year. This could mark a trend for more pervasive DLang adoption by malware developers, the report predicted.
There’s nothing modest about the big uptick in use of initial stagers for Cobalt Strike being compiled using Go, and more recently in Nim, according to the writeup, initial stagers being the binary used to facilitate first-stage, initial access by reaching out to download the Cobalt Strike beacon from a TeamServer. “This server is responsible for serving the beacons themselves,” according to the report. “It is important that defenders stay ahead of the curve in catching Cobalt Strike-related files written in these languages, to enhance defensive capability against such a formidable threat.”
Noise From the Tower of Babel Helps Attackers
Blackberry’s team delineated a number of reasons why using less common languages helps attackers do their dirty deeds:
- Making up for deficits in existing languages. Malicious programmers could be after a number of things they’re lacking in other languages, be it simpler syntax, performance boosts or more efficient memory management. Then again, a new language might be the perfect tool for a given, targeted environment: For example, the report pointed out, internet of things (IoT) devices use lower-level languages such as C or assembly. Another plus is some languages’ user-friendly nature, which can ease development and improve developers’ quality of life: Examples include the pip package manager for Python or npm for Node.JS.
- Gumming up reverse engineering. Not all malware analysis tools support exotic programming languages, making analysis a slog. “Binaries written in … Go, Rust, Nim, and DLang … can appear more complex, convoluted, and tedious when disassembled, compared to their traditional C/C++/C# based counterparts,” Blackberry researchers explained.
- Screwing with signature-based detection. In order to spot a signature, that signature has to stay the same. One example of static characteristic is hashes, which require each byte to be identical, whether it’s a hash of the whole file, or a hash of a certificate, etc. New-language variants that tweak these previously static characteristics will likely fail to be spotted. One example is BazarLoader, which was rewritten in Nim.
“Signatures for existing malware families that are based off static properties have little success in tagging the same malware once rewritten in these more obscure languages. In situations such as Buer and RustyBuer (as well as BazarLoader and NimzaLoader), new rules usually must be created to tag these tangentially related variants,” the researchers wrote.
- Slathering on obfuscation. When it comes to exotic languages, the language itself can almost act as obfuscation, given the fact that it’s relatively new. “The languages themselves can have a similar effect to traditional obfuscation and can be used to attempt to bypass conventional security measures and hinder analysis efforts,” researchers said.
- Cross-compilation more efficiently targets Windows & Macs. A malware developer can author one piece of malware variant and cross-compile it to target the multiple architectures and operating systems used in most businesses. Malware authors need fewer tools to target networks and can thereby cast a wider net with less work.
- Teaching an old dog new tricks. Malware developers are pepping up old malware written in traditional languages like C++ and C# with droppers and loaders written in exotic languages, according to the writeup. Again, this saves a lot of work, since the authors can skip the laborious process of recoding malware and can instead simply wrap it up in the rewritten delivery method of a new dropper or a loader.
Alternatively, threat actors with deep resources are completely rewriting existing malware in new languages, as opposed to just wrappers and loaders. Examples: BazaLoader switched to NimzaLoader, while Buer switched to RustyBuer.
Blackberry suggested that in order to catch these multi-language malware families, software engineers and threat researchers will stand a better chance if they employ dynamic or behavioral signatures, signatures that tag behavior via sandbox output, or endpoint detection and response (EDR), or log data. “These techniques can be far more reliable in these instances,” according to the report.
Employing implementation-agnostic detection rules in order to tag dynamic behaviors can help if static signatures fail, researchers said, given that malware often behaves in the same way, especially when the malware is recoded. “In other circumstances such as shellcode loaders, which often inject into processes using a limited subset of Windows API calls, they can be identified using that limited subset,” the report elucidated.
As well, the use of libraries within a binary can often be “signaturized,” researchers said. “The languages investigated in this report have bindings which allow them to interface with the Win32 API and use these API calls. In essence, they can use an almost-identical methodology to that of more traditional languages such as C++. This is not always the case, as particular languages can use their own APIs in place of Win32 APIs. For example, they could use cryptographic libraries that would restrict the visibility of certain events. However, the use of these libraries within a binary can often be ‘signaturized’ too.”
It’s going to take a while for malware sample analysis tools to catch up to these new languages, but it’s “imperative” for the security community to “stay proactive in defending against the malicious use of emerging technologies and techniques,” Blackberry warned.
“It is critical that industry and customers understand and keep tabs on these trends, as they are only going to increase,” Blackberry’s Milam advised.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.