They're concentrating on finding and exploiting flaws in code analysis and reverse engineering.
According to BlackBerry's Research & Intelligence team, there has been a recent "escalation" in the use of Go (Golang), D (DLang), Nim, and Rust, which are being utilized more frequently to "attempt to elude detection by the security community, or address specific pain-points in their development process."
Malware authors are experimenting with loaders and droppers written in these languages, which are designed for first- and second-stage malware distribution in an attack chain.
According to BlackBerry, first-stage droppers and loaders are becoming more common in order to avoid detection on a target endpoint, and they are used to decode, load, and deploy malware, including Trojans, once the malware has circumvented existing security controls able to detect more typical forms of malicious code.
The Remcos and NanoCore Remote Access Trojans (RATs) are two examples of commodity malware mentioned in the paper. Cobalt Strike beacons are also frequently used.
With more resources at their disposal, some developers are rewriting their malware entirely in new languages, such as Buer to RustyBuer.
According to current trends, cybercriminals are particularly interested in Go, according to cybersecurity analysts.
Both advanced persistent threat (APT) state-sponsored organisations and commodity malware authors, according to BlackBerry, are interested in learning the programming language to improve their arsenals. CrowdStrike reported in June that a new ransomware strain took characteristics from HelloKitty/DeathRansom and FiveHands, but encrypts its core payload with a Go packer.
"This hypothesis is predicated on the fact that new Go-based samples are now arriving on a semi-regular basis, encompassing malware of all varieties and targeting all major operating systems across various campaigns," the researchers write.
DLang has seen a modest surge in adoption during 2021, despite not being as popular as Go.
The researchers believe that by employing new or unique programming languages, they can thwart reverse engineering efforts, evade signature-based detection technologies, and boost cross-compatibility among target systems. Because of the language in which it is built, the codebase itself may provide a layer of camouflage without any further effort from the malware developer.
"Malware authors are well-known for their ability to adapt and adjust their skills and habits in order to take advantage of newer technologies," said Eric Milam, BlackBerry's VP of Threat Research. "This has a number of advantages, including a shorter development cycle and a lack of protection from protective treatments. Because these tendencies are only going to get worse, it's vital that industry and customers recognize and keep track of them."