Verstanden Sie Rust? Polyglot malware authors are increasingly using highly obscure programming languages to avoid detection.
Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim & DLang in order to create new tools & to hinder analysis, researchers have found.
Use of those 4 languages is increasing in the number of malware families being identified, according to a report published on Mon. by BlackBerry Research & Intelligence Team. The team chose those 4 languages to examine, partly because they fit its detection methodologies, but also since the languages have strong community backing & could be considered more developed.
“These uncommon programming languages are no longer as rarely used as once thought,” according to the writeup. “Threat actors have begun to adopt them to rewrite known malware families or create tools for new malware sets.”
Specifically, researchers are tracking more loaders & droppers being written in rarer languages. “These new 1st-stage pieces of malware are designed to decode, load, & deploy commodity malware such as the Remcos & Nano Core Remote Access Trojans (RATs), as well as Cobalt Strike,” according to the report. “They have been commonly used to help threat actors evade detection on the endpoint.”
The use of the legitimate Cobalt Strike security tool has exploded: Its usage in cyber-attacks is up 161% year-on-year, having gone fully mainstream in the crimeware world.
Dark Side of Innovation
Malware makers might have a reputation for being slow to let go of whatever’s working, but they’re happy to pick up new programming languages for the same reasons as their law-abiding counterparts: It helps to rub out pain points in the development cycle, for one.
Also, from the malware author’s perspective, new languages keep their creations a step – or 2, or 3 – ahead of protection tools. “Malware authors are known for their ability to adapt & modify their skills & behaviours to take advantage of newer technologies,” Eric Milam, VP of Threat Research, wrote. “This has multiple benefits from the development cycle & inherent lack of coverage from protective solutions.”
In addition, just like non-malware programmers, malware authors need to protect themselves from exploitation. Blackberry pointed to “Emo Crash” as an example of what they’re hardening their defences to avoid: About 1 year ago, security researcher James Quinn revealed that he had developed a kill switch – dubbed Emo Crash – that exploited a buffer overflow within the installation routine of the main binary in the infamous Emotet infostealer, causing it to crash & preventing it from infecting systems for 6 months. In effect, he had concocted an Emotet vaccine.
APT28’s & APT29’s Growing ‘Go’ Fluency
When it comes to these more obscure languages, malware developers have, historically, mostly written in Go: a general-purpose language that’s much like C++ in that it’s statically typed & compiled. In fact, its compiler was originally written in C, though it’s now also written in Go.
C-language malware is still the most widespread, the researchers explained. But 2 Russia-based threat players, APT28 & APT29, have begun to use the more exotic languages in malware sets more often than other groups. APT28 is aka Fancy Bear or Strontium, etc., while APT29 is aka Nobelium, Cozy Bear, or the Dukes, etc.
Go is now “one of the ‘Go-to’ languages for threat actors” who are cooking up variants, Blackberry researchers revealed, both at the level of advanced persistent threat (APT) & commodity level. “New Go-based samples are now appearing on a semi-regular basis, including malware of all types, & targeting all major operating systems across multiple campaigns,” they wrote.
APT28 & APT29 are good examples. APT28, infamous for its alleged meddling in the 2016 presidential election via infiltration of the Democratic National Committee, is linked to a wide range of attacks & malware families, but the Zebrocy malware family in particular “notably uses multiple uncommon programming languages within its kill chain,” according to the report.
Zebrocy, aka Sednit, APT28, Fancy Bear & Strontium & used by the threat group Sofacy, operates as a downloader & collects data about infected hosts.
As researchers explained, when Zebrocy samples were 1st seen in 2015, they had 3 parts: a Delphi downloader, an Auto IT downloader & a Delphi backdoor. Regardless of which language Zebrocy is written in, it spreads via phishing campaigns that contain an initial trojan that tries to communicate with a command-&-control (C2) server & which executes a downloader to drop a malicious payload via an established backdoor. It’s been rewritten multiple times, but “the method of delivery via email attachment & general functionality remains largely the same,” the report stated.
Some Go rewrites used by APT28
- 2018: A Go-based trojan linked to APT28 was identified as a Zebrocy variant with a rewritten version of the original Delphi downloader.
- 2019: Researchers discovered a Nim downloader alongside the Go backdoor in the same Zebrocy campaign targeting embassies & ministries of foreign affairs in Eastern Europe and Central Asia.
- 2020 & preceding years: APT28 grew increasingly fond of Go, using other rewritten, core Zebrocy components: the backdoor payload and downloader. Most recently, APT28 used the COVID-19 pandemic as a lure to deliver the Go downloader variant in Dec.
Also, APT29/Cozy Bear, best known for its part in the Solar Winds supply-chain attacks of early 2020, was targeting Windows & Linux machines in 2018 with Well Mess, a remote access trojan (RAT) written in Go & .NET.
The researchers noted that the most prevalent variant of Well Mess is the Go version, which comes in both 32-bit & 64-bit variants as PE & ELF files, “giving APT29 the ability to deploy it to more than 1 type of architecture & OS.”
APT29 typically penetrates a victim’s network by 1st scanning an organization’s external IP addresses for vulnerabilities & then throwing public exploits against vulnerable systems.
The group’s growing use of Go variants includes using more sophisticated Well Mess variants in 2020 attempts to steal COVID-19 vaccine research from academic & pharmaceutical research institutions in various countries around the world, including the US, the UK & Canada.
The researchers noted that the newer variant, while written in Go, has been made more complicated: APT29 has, for example, added more network communication protocols & the ability to run PowerShell scripts post-infection.
“Both threat actors are still active and have conducted some of the most impactful Russian cyberattacks to date,” Blackberry researchers asserted.
“Recent activity suggests that these groups have been using the uncommon programming languages mentioned in this paper to add complexity to their malware, target multiple platforms, & evade detection.”
Beyond Go & its growing attraction to APT28 and APT29, other rare languages over the past decade have increasingly been used in ever more malware families by additional threat players.
Below is a timeline of how the 4 languages have increasingly cropped up, particularly the languages Rust, Nim, & D. Blackberry analysts noted that it’s not an exhaustive list of the malware families that have been developed in these languages.
DLang malware appears to be the least favourite language in the evolving threat landscape, but it has seen some modest growth over the last year. This could mark a trend for more pervasive DLang adoption by malware developers, the report predicted.
There’s nothing modest about the big increase in use of initial stagers for Cobalt Strike being compiled using Go, & more recently in Nim, according to the writeup, initial stagers being the binary used to facilitate 1st-stage, initial access by reaching out to download the Cobalt Strike beacon from a Team Server.
“This server is responsible for serving the beacons themselves,” according to the report. “It is important that defenders stay ahead of the curve in catching Cobalt Strike-related files written in these languages, to enhance defensive capability against such a formidable threat.”
Noise From the Tower of Babel
Blackberry’s team delineated a number of reasons why using less common languages helps attackers do their dangerous deeds:
- Making up for deficits in existing languages. Malicious programmers could be after a number of things they’re lacking in other languages, be it simpler syntax, performance boosts or more efficient memory management. Then again, a new language might be the perfect tool for a given, targeted environment: For example, the report pointed out, internet of things (IoT) devices use lower-level languages such as C or assembly. Another plus is some languages’ user-friendly nature, which can ease development & improve developers’ quality of life: Examples include the pip package manager for Python or npm for Node.JS.
- Gumming up reverse engineering. Not all malware analysis tools support exotic programming languages, making analysis a slog. “Binaries written in … Go, Rust, Nim, & DLang … can appear more complex, convoluted, & tedious when disassembled, compared to their traditional C/C++/C# based counterparts,” Blackberry researchers explained.
- Screwing with signature-based detection. In order to spot a signature, that signature has to stay the same. 1 example of static characteristic is hashes, which require each byte to be identical, whether it’s a hash of the whole file, or a hash of a certificate, etc. New-language variants that tweak these previously static characteristics will likely fail to be spotted. One example is Bazar Loader, which was rewritten in Nim.
“Signatures for existing malware families that are based off static properties have little success in tagging the same malware once rewritten in these more obscure languages. In situations such as Buer & RustyBuer (as well as Bazar Loader & Nimza Loader), new rules usually must be created to tag these tangentially related variants,” the researchers wrote.
- Slathering on obfuscation. When it comes to exotic languages, the language itself can almost act as ‘obfuscation’, given the fact that it’s relatively new. “The languages themselves can have a similar effect to traditional obfuscation and can be used to attempt to bypass conventional security measures & hinder analysis efforts,” researchers stated.
- Cross-compilation more efficiently targets Windows & Macs. A malware developer can author 1 piece of malware variant & cross-compile it to target the multiple architectures & operating systems used in most businesses. Malware authors need fewer tools to target networks & can thereby cast a wider net with less work.
- Teaching an old dog new tricks. Malware developers are pepping up old malware written in traditional languages like C++ & C# with droppers & loaders written in exotic languages, according to the writeup. Again, this saves a lot of work, since the authors can skip the laborious process of recoding malware & can instead simply wrap it up in the rewritten delivery method of a new dropper or a loader.
Alternatively, threat players with deep resources are completely rewriting existing malware in new languages, as opposed to just wrappers & loaders. Examples: BazaLoader switched to Nimza Loader, while Buer switched to RustyBuer.
Blackberry suggested that in order to catch these multi-language malware families, software engineers & threat researchers will stand a better chance if they employ dynamic or behavioural signatures, signatures that tag behaviour via sandbox output, or endpoint detection & response (EDR), or log data.
“These techniques can be far more reliable in these instances,” according to the report.
Employing implementation-agnostic detection rules in order to tag dynamic behaviours can help if static signatures fail, researchers explained, given that malware often behaves in the same way, especially when the malware is recoded.
“In other circumstances such as shellcode loaders, which often inject into processes using a limited subset of Windows API calls, they can be identified using that limited subset,” the report elucidated.
As well, the use of libraries within a binary can often be “signaturised,” researchers outlined. “The languages investigated in this report have bindings which allow them to interface with the Win32 API & use these API calls. In essence, they can use an almost-identical methodology to that of more traditional languages such as C++.
This is not always the case, as particular languages can use their own APIs in place of Win32 APIs. For example, they could use cryptographic libraries that would restrict the visibility of certain events. However, the use of these libraries within a binary can often be ‘signaturised’ too.”
It’s going to take a while for malware sample analysis tools to catch up to these new languages, but it’s “imperative” for the security community to “stay proactive in defending against the malicious use of emerging technologies & techniques,” Blackberry warned.
“It is critical that industry & customers understand & keep tabs on these trends, as they are only going to increase,” Blackberry’s Milam advised.