According to recent findings from the BlackBerry Research and Intelligence Team, exotic programming languages are gaining popularity among both APTs (advanced persistent threats) and cybercriminals alike.
By writing or rewriting their malware in uncommon programming languages, malware developers can easily bypass static signature-based detections, thus creating a significant hole in our cyber defenses. One way to suture this gap is by using behavioral-based detection to more effectively tag anomalous behavior if and when traditional signatures fail.
Signature-based detection typically monitors inbound network traffic to find predefined patterns and sequences that match known indicators of compromise (IOCs). Behavior-based detection, on the other hand, goes beyond just identifying patterns linked to specific types of attacks or malware.
Behavioral analytics examine the patterns and activities of users and applications in a network to create a behavioral baseline that learns and adapts to the dynamic nature of an organization’s raw network traffic. Using network traffic analysis, behavior-based solutions identify anomalies in a network that deviate from standard activity, allowing defenders to catch previously unseen threats.
One way threat actors are getting creative is by “wrapping” commodity malware in loaders and droppers coded in unconventional languages in order to obfuscate the first stage of the infection process. Other developers are taking it a step further and completely rewriting existing malware code to create new and improved variants.
And some threat actors are doing both. APT28 – a group known to be associated with Russia’s General Staff Main Intelligence Directorate (GRU) – leverages a multi-language kill chain and has repeatedly employed unusual languages in its development process. For example, APT28’s Zebrocy backdoor was originally written in Delphi in 2015, but was rewritten from Delphi to Go in 2018. A year later in 2019, the Zebrocy downloader first popped up in Nim, but was later seen rewritten from Nim to Go in October 2020.
APT28 still leverages the same initial intrusion vector and many of the same tactics, suggesting it is likely easier for malicious actors to port their original malware code to other languages rather than changing their tactics, techniques, and procedures (TTPs) to dodge defenders. Because TTPs are really just adversarial “behaviors,” they are more difficult for an attacker to change and are thus the best type of indicators for defenders to focus on.
Until recently, it’s been rare to see malware written in these languages. As such, reverse engineers are not as familiar with their implementation, and malware analysis tools and sandboxes may have a difficult time analyzing their samples. Additionally, unlike traditional C-based languages, it’s harder to identify and decipher uncommon programming languages because they are composed of more complex and convoluted binaries.
Here’s where it becomes a problem. Anti-virus (AV) products / endpoint detection and response (EDR) solutions follow pre-existing lists of common detections in order to scan and sandbox C-language executables. However, when these security tools encounter an unrecognized language, they’ll allow it to pass and the malicious activity will go unflagged because of a lack of heuristics for known malicious actions.
Rewriting malware breaks the static signatures for well-known malware families, and the lack of an identifiable signature makes this tactic attractive to threat actors who want to add additional layers of obfuscation to their attacks. And since signature-based detection depends on specific static characteristics within a file, it is virtually useless when encountering unknown malware strains.
The signature-based approach will forever be a “cat and mouse game” of attackers making small tweaks …….