By coding or recoding existing malware in obscure programming languages, they defeat signature-based detection techniques and foil traditional EDR schemes.
Malware creators have a reputation for being slow to change what works for them. However, to keep ahead of improving cybersecurity defense solutions, some malware groups have taken the opportunity to branch out and try new or ‘exotic’ programming languages.
Using obscure programming languages such as Go, DLang, Nim and Rust can help cyber hackers address pain points in their development process or to try to evade detection by the cyber-defense community.
BlackBerry’s Research & Development Team has identified this trend and seen an escalation in the number of malware families created with these languages. These languages have also piqued the researchers’ interest because a strong community backing does exist in the Dark Web.
CybersecAsia finds out from Jonathan Jackson, Director of Engineering at BlackBerry, both the reasons for their adoption and what areas we expect to see a further uptick as this trend evolves. Most importantly, we discuss ways that corporations can address this growing set of threats.
How does using ‘exotic’ or old programming languages help hackers to carry out sophisticated malware attacks?
Jackson: Reiterating a point known by many, hackers are relentless in their pursuit of the vulnerable.
Given the heightened acceleration of digital transformation, data is invaluable today. As corporates now host greater volumes of data, alongside a willingness to spend top dollar for data-driven solutions, millions of megabytes of corporate data are generated each day, creating vulnerabilities for hackers to exploit. This data is touted as ‘the new gold’, and it is important to recognize the new ways that threat actors are modifying their modus operandi and attack sophistication to exfiltrated that new gold.
One such trend BlackBerry has observed in 2021 is the practice of using uncommon or ‘exotic’ coding languages. In the developer world, a growing number of new and exotic programming languages are emerging. By taking advantage of these newer languages, threat actors are pivoting their malware creation techniques to bypass current security toolsets.
For threat actors, using these newer programming languages helps them circumvent established security architectures. Leveraging the fact that detection methodologies do not yet exist for most of these coding languages, it means that traditional signature-based security technologies cannot possibly keep up. This signals greater success for the threat actors and therefore incentivizes them to continue utilizing these methods.
While malicious binaries written in these new programming languages currently comprise a small percentage of the languages used or malicious intent, it is imperative that the security community stays proactive in defending against the malicious use of emerging technologies and techniques.
Does typical threat hunting and malware code analysis easily and routinely detect this new trend?
Jackson: Most commercial anti-malware and threat hunting solutions in the market today are not programmed to detect threats created in the new coding languages. This is precisely what makes malware written in these languages such a danger. These threats can more easily evade detection and achieve the end goal of the threat actor—whether that is data exfiltration or ransom payment, or both.
In our recent white paper, Old dogs, new tricks: Attackers adopt exotic programming languages, we explored the trend of exploiting new and uncommon programming languages for malicious intent, focused on four of the most popular exotic coding languages—Go, Rust, Nim, and DLang—and drew some interesting observations.
The relative novelty, obscurity, and lack of clarity that comes with these languages can be leveraged to bypass conventional security measures and hinder analysis efforts. Malware analysis tools do not always adequately support uncommon programming languages and it is this dissonance that can make efforts to comb through a myriad of unlabeled and convoluted subroutines extremely tedious.
Additionally, analysts could be unfamiliar with the flow of execution with these new languages. When disassembled, the code has the tendency to appear more complex and laborious, compared to traditional malware code.
Also, adopting these languages offers advantages in the software development lifecycle, because threat actors can easily take an existing piece of malware that is known to the security community, and reinvent it.
Looking at the example of BazarLoader being rewritten in Nim, the signatures written to detect the previous iteration would likely be unable to detect the new version. This indicates that new signatures will have to be created to detect any new variant written in a different coding language— giving attackers a distinct advantage. The alternative to manually creating malware signatures in an attempt to keep up with threat actors, is to use the predictive advantage of an anti-malware solution powered by AI.
Due to the lack of visibility of this trend, statistics may not accurately represent the level of risk when dealing with malware in these languages. If detection methodologies do not exist for these threats, then most organizations will not be able to detect this new trend easily and routinely. It is therefore crucial that we cover all high-risk blind spots.
With continually evolving obfuscation methods, what are the defense skills needed to preempt and block new threats?
Jackson: The languages themselves act as a layer of obfuscation, with each of them being relatively new and having little in the way of fully supported analysis tooling. The Old Dogs, New Tricks report is just the tip of the iceberg in fully understanding the extent of the new methods being employed by threat actors, and therefore the defensive skills needed to prevent these new types of threats.
A shift in mindset is needed, in viewing cyber resilience as a framework that needs to be discussed at an enterprise level – from the cybersecurity team, all the way up to C-suite executives at board level. In this evolving environment, organisations must also consider if they have the right skills and solutions to comprehend, anticipate and block threats created using new technologies. Given the shortage of skilled workers to establish this cyber resilience, organisations should look to engage with vendors and partners to circumvent this challenge.
We always emphasize these five tips:
- Patch everything: Update all operating systems against vulnerabilities to ensure that everything is up to date. Have a framework in place to keep devices and systems up to date safely.
- Backup your data: There must be a decent backup of your organization’s data, that exists off the local network. Reliance on external networks (e.g., Windows Shadow Copies) can be risky as they are often deleted during the exfiltration of a cyberattack.
- Invest in third party experts: Utilize the length and breadth of services from vendors that offer next generation AI-based detection and response capabilities, alongside all-encompassing cyber warfare tools that cover endpoints, servers, Point of Sale (POS) machines, IoT devices, mobile devices, and even people, to ensure safety is managed effectively.
- Security training needs to happen: It is important to know how ransomware and malware can get into your organization, but teams also need to be able to threat hunt against attacks such as Cobalt Strike and TrickBot.
- Educate your workforce: Address knowledge-gaps within the organization through education (Security training, Red Teaming activities, phishing campaigns, and cyber gamification training and so on).
How should APAC organizations protect themselves from such exotic new tricks?
Jackson: Regionally, the region represents an ideal environment for cybercriminals to excel due to factors such as high digital connectivity, low cybersecurity awareness, weak regulations in some jurisdictions and growing cross-border data transfers.
The security industry in the region would be wise to stay on top of this emerging situation: there is a chance to be proactive on this before it becomes a bigger issue.
For example, it took at least seven years to get a handle on PowerShell, and we do not want a repeat of that failure. Security researchers and analysts should continue improving detection methodologies and updating security tools to stay ahead of these cyber attackers. The use of these new languages is going to be a challenge while security products play catch up: organizations must consider whether they have the skills internally to understand the threats they are facing with this new development.
At BlackBerry, we model best practices by adopting AI-powered solutions that reduce the burden on security teams. These solutions act as a vital layer of protection against these such ‘exotic’ new tricks with endpoint protection platforms (EPP) providing intelligent controls against sophisticated cyber threats. This consists of having the right malware analysis tooling to support ‘exotic’ programming languages and the constantly evolving threat environment.