Hacking in tongues: Malware authors shake up their programming languages
Illustration: Si Weon Kim
Malware creators are relying on relatively uncommon programming languages such as Rust, Go, and Swift — and not just because they’re sick of writing code in C. Defenders have been forced to keep up.
Malicious software developers are branching out from familiar programming languages as they expand their arsenal of hacking tools to evade detection and stymie analysis.
But experts say malware authors’ adoption of Rust, Go, and other unconventional programming languages isn’t yet cause for despair.
“The biggest hindrance for analyzing so-called ‘non-traditional’ languages is that specific reverse engineering tools can take time to catch up to newly emergent programming languages,” Red Canary principal malware analyst Christina Johns told README, but “there are many more tools for reversing Go binaries now than there were just a few years ago.”
Most existing malware is written in C, C++, or C#, which have all been around for decades. C and C++ in particular are known for their performance, and C# is commonly used with the .NET framework introduced by Microsoft to allow developers to create software for many platforms.
But relatively offbeat languages like Go and Rust have their own advantages for malicious coders, and their use is already shaking up the global cyberthreat landscape.
Rust, an open source programming language released in 2014, offers user-friendly syntax, is difficult for defenders to reverse-engineer, and features fast encryption and wide-ranging cryptographic libraries that appeal to ransomware authors.
Plus, programmers in general like working with it: According to the Stack Overflow developer survey of 2021, nearly 87% of respondents said they “love” programming in Rust. That’s a significantly higher percentage than any member of the C family got; only 40%, 49%, and 62% of respondents said they “loved” C, C++, and C#, respectively.
Ransomware and Rust
The cybercriminals behind the BlackCat ransomware seized on Rust’s potential in December 2021, as MalwareHunterTeam reported at the time:
Unit 42 at Palo Alto Networks said in January that BlackCat was “one of the first, if not the first, piece of ransomware to use” Rust. “By leveraging this programming language, the malware authors are able to easily compile it against various operating system architectures,” the company said. “Given its numerous native options, Rust is highly customizable, which facilitates the ability to pivot and individualize attacks.”
BlackCat wasn’t the last piece of ransomware to be written in Rust. Kaspersky reported in July that it had discovered a new Rust-based ransomware strain called Luna. The company echoed Unit 42 in saying that ransomware authors were choosing Rust because it supports multiple platforms, and it added that “cross-platform languages help to evade static analysis,” which can hinder researchers.
Microsoft reported in July that the Hive ransomware had even been rewritten in Rust to benefit from the language’s perks.
These benefits aren’t exclusive to ransomware: Proofpoint reported in May 2021 that it had discovered a new “RustyBuer” variant of the Buer malware loader, which it said “enables the threat actor to better evade existing Buer detection capabilities.”
Go, Go, Go
Go, or Golang, is another programming language gaining in popularity among legitimate programmers and malware authors alike.
Cybersecurity firm CrowdStrike said in a May 2021 blog post that it had come across a variant of the HelloKitty and FiveHands ransomware that used Go. More recently, researchers discovered a decoy ransomware variant used to distract from data wiper attacks in February after Russia invaded Ukraine. Sentinel Labs senior director Juan Andres Guerrero-Saade said the ransomware was written in a combination of Go and C.
Go offers many of the same technical advantages as Rust. CrowdStrike said the FiveHands ransomware’s use of Go “makes it challenging to debug for malware researchers” because “all necessary libraries are statically linked and included in the compiler binary and the function name recovery is difficult.” And, like Rust, Go is meant to be able to create software for multiple platforms, making malware based on the language more flexible.
Uncommon programming languages can appeal to malware authors for other reasons. Some malware has been written in Swift, for example, which is technically multi-platform but is mostly associated with developing for Apple’s platforms. Malware creators are using Rust and Go to enable attacks on multiple operating systems (Windows and Linux) but turning to Swift for attacks that specifically target macOS.
Lost in translation
Writing malware in an untraditional language can be tricky. Although the basics of programming are fairly consistent across languages — which is why many developers can become proficient in more than one—it’s easy to make mistakes on unfamiliar turf.
ESET noted this in 2017 when it described a new piece of ransomware written in Swift as being “generally poorly coded.” Some of the problems, such as “a transparent background,” were merely cosmetic. But others — such as it being “impossible to reopen the window if it is closed” and the author’s inability to restore files even if the ransom is paid — were more severe.
Guerrero-Saade said the decoy ransomware deployed against Ukrainian networks in February also had problems, at least some of which appeared to stem from its creator’s lack of experience with Go, especially where concurrency is concerned:
There’s no guarantee either piece of malware would’ve been of higher quality if it were written in a more traditional language. The entire security industry is built on the fact that programmers — even those working with familiar languages — make mistakes. But it stands to reason that malware authors would be more prone to error if they’re using an unfamiliar language.
Similar problems, different languages
Defensive changeups can prompt offensive tool creators to adapt. Microsoft said Hive benefited from the switch to Rust because it was “relatively more difficult to reverse-engineer” — even though the ransomware was originally written in Go. Hive’s authors had transitioned from one relatively uncommon language to another in response to defenders’ growing familiarity with Go.
Many security tools have also gone from simply maintaining lists of file hashes for known malware to monitoring specific behavior. These detection mechanisms can help defend against malware regardless of the language it’s written in. (That doesn’t mean they’re foolproof, but it does mean malware authors can’t evade detections by changing a single line of code.)
“Re-implementing malware in a new language could evade antivirus (AV) signatures in the short-term, yes, but AV vendors have proven their agility in rapidly developing and deploying tool-specific signatures,” Red Canary director of threat research Matt Graeber told README. “It’s a cat-and-mouse game that the AV industry is relentless and skilled at playing.”