Malware Resorts to Unusual Programming Languages to Evade Detection

Researchers with Blackberry Research and Intelligence have published a new report highlighting an interesting trend in malware. The research paper shows that a growing number of malware coders are starting to turn to unusual and exotic programming languages in their ongoing effort to produce malware that is able to slip unnoticed under the radar.

The report was focused on four separate programming languages, specifically picking them among the bunch due to the fact that while they are located outside of the mainstream, they are still relatively well-developed and have a strong community backing and resources available for them.

The threat actors developing malware have started rewriting popular malware tools, coding them from the ground up with very similar functionality, but using a new language as the base. This has led to a growing number of new malware families being identified and catalogued by researchers, even if the new malware is functionally similar to existing strains, simply because of the different codebase and language used.

The report also highlights a trend among threat actors to focus their attention on developing loaders and file droppers, using uncommon programming languages.

Among the languages examined in the research paper, Go stands out as a big highlight. It is a language that is structurally and functionally similar to C++, to the point where Go's compiler was also originally written in C++, before switching to Go.

There are two specific, significant threat actors who have focused a lot of their development efforts on using Go. Those are APT28 and APT29 - both threat groups believed to operate out of Russian territories.

Other notable languages that have been gaining popularity among malware authors include Rust, Nim and Dlang or simply the D programming language.

In addition to confusing some detection mechanisms and systems, malware written and compiled in an exotic language can also significantly slow down researchers in their efforts to decompile and reverse engineer the new malware, simply because of the prevalence of tools focused on more common languages.

Blackberry Research highlighted the need for malware researchers to keep up with those evolving trends if they want to be effective.

July 26, 2021