How Hackers Are 6 Steps Ahead Of Defenders: Read About Their Next Generation tools

Despite having the best of software tools and technologies deployed, organizations are finding it hard to defend their IT Networks from impending attacks. It has increased manifolds in recent times.

Whenever the defense team of an organization gets a sense of confidence after deploying the latest tools, they get another attack with new variants. This makes them realize was there any mistake in decision making?

Analysis: There is a famous saying – Attackers are at least 6 steps ahead of the defenders. This they could achieve just by adapting themselves to new technologies & appetite of learning.

Whenever new technologies get released for common use, they immediately try to use them for their purpose.

For e.g lately quite a few Programming Languages like “Rust” (Full name: Rystybuer) & Nim (Nimzloader) are being used to develop a new software application, which gives assurance by giving guarantees like memory safe programming & secure coding, ideally which shall enhance the same application on security perspective. But what happens if Hackers also use the same programming language to create the malware & infect the system?

Well, in this case, it would be near impossible for the existing tools to detect the malware, which has been written using these programming languages.

As per Blackberry researchers lead by Eric Milam VP Research, “Programs written using the same malicious techniques but in a new language are not usually detected at the same rate as those written in a more mature language & That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products.”

Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems.

“The loaders, droppers and wrappers […] are in many cases simply altering the first stage of the infection process rather than changing the core components of the campaign. This is the latest in threat actors moving the line just outside of the range of security software in a way that might not trigger on later stages of the original campaign.”

In the last 10 years, new Programming Languages like “Rust”, “Nim” “Go” ‘Dlang”  are in prominence covers security & safe programming, as earlier Languages were not designed with inherent security aspects by design. However, Hackers have already used these PLs to develop the Malware.

Dlang  (Considered as Advanced version of C/C++) – DShell, Vovalex, OutCrypt, RemcosRAT

Go (Google Programming Language, which has features of C with Security Controls : ) – ElectroRAT, EKANS (aka Snake), Zebrocy, WellMess, ChaChi

Nim (As fast as C & expressive like Python combined) – NimzaLoader, Zebrocy, DeroHE, Nim-based Cobalt Strike loaders

Rust (Features of C++ with Security Controls)- Convuster Adware, RustyBuer, TeleBots Downloader and Backdoor, NanoCore Dropper, PyOxidizer

Conclusion : CIO/CISO’s may factor above points, while going for any system upgrade as a part of technology refresh and design counter controls

Content Reference:

1. https://bit.ly/3iXKmUq
2. https://bit.ly/3BPMx4V

Compiled by: RED Team of Armantec, led by Shamsher Bahadur – Cyber Security Practice Head.

This Article has been Submitted by Armantec Systems Pvt Ltd (www.armantecsystems.com), a Noida Based Threat Intelligence & RED Teaming Consulting Firm, with the prime focus on custom Ransomware Attacks Solution for Critical Information Infrastructures (CIIs).