2021 has seen Malware Developers reach outside the normal development languages such as C and Delphi to craft samples in GoLang and Rust, with the apparent goal of making malware analysis and anti-virus signature development more difficult. BuerLoader has a complete rewrite to Rust that was first reported in May 2021 and is in active use. The malware authors’ focus has been on loaders and droppers, using exotic API calls and signatures to give the malware an edge in anti-virus evasion. Researchers also noted that commodity malware such as Remcos and Nanocore RATs and even Cobalt Strike Beacons are now being re-written in other programming languages. Blackberry Researchers observed “This assumption is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns.”
Malware developers have an enormous incentive to stay on the cutting edge of anti-virus evasion and keep one step ahead of threat researchers. Any slight advantage to slow analysis allows for extra time for the malware to be distributed unimpeded, which means more victims get infected, and the malware distributors generate more revenue. Enterprises should keep endpoints and antivirus definitions updated constantly and encourage employees to report phishing attempts. Enterprise, small business, and Government entities should review recent guidance on cybersecurity best practices issued by CISA. Binary Defense offers expert teams of Malware Analysts and Security Operations Center operators to supplement any company’s defensive posture. While threat actors scramble behind closed doors to come up with new evasion techniques, researchers with Binary Defense continue to develop techniques to stop adversaries in their tracks.