Programming languages are an important tool for cyber attacks. We'll tell you what makes PowerShell, Bash, and JavaScript attractive to cybercriminals, what is the secret to the popularity of C / C++, and how to avoid becoming a victim of malicious Python applications.
Note that the AM Live TV project recently discussed how to organize the vulnerability management process in 2024.
Attackers use different programming languages to create malicious code. Some of them are more popular in the criminal environment because of their ease of use, compatibility with certain systems, and the availability of a large number of libraries that can be used to find a solution for a specific task.
Nevertheless, according to our observations, confirmed by the experience of our colleagues, the largest number of malicious programs with broad functionality is mainly developed in the C and C++languages. These languages are most often used to create the most serious threats, as they allow you to control system resources, manage them, and create complex patterns that make it difficult to analyze and detect malicious programs in the system. Another reason for the popularity of C and C++ in the criminal environment is that they are ported languages, and they have minimal requirements for dependencies to work correctly. This means that the code can be compiled and adapted to run on different platforms. Cybersecurity experts blame C, among other things, for a large number of examples of undefined behavior, which inevitably leads to security gaps and infrastructure vulnerabilities.
Windows PowerShell is a platform-based command shell and scripting language developed by Microsoft .NET Framework and .NET Core. PowerShell is present on all Windows devices and is one of the favorite tools of hackers because of its the system and making changes to it. In the vast majority of cases, PowerShell is used by a wide range of specialists from various IT fields to automate tasks, manage the system, create dependencies for the interaction of systems and various solutions, and ensure their correct and smooth operation. Malware developers most often create their own tools / scripts in the PowerShell language in order to move between devices, collect information, gain a foothold in the system, counter detection, and modify system configurations to implement further stages of the attack.
For *nix systems, the language for automating and reproducing the same malicious actions is Bash (Bourne again shell), the standard command shell in most Linux distributions. Programs in this language allow you to manage the system and system configurations, as well as system components and user interfaces and data. These features are particularly attractive to attackers who use them for their own criminal purposes.
The creators of malicious programs have not spared web development, thanks to which users have access to sites and various services published on the Internet. In this area, the most popular JavaScript language deserves attention. Cybercriminals use it when creating scripts, for example, for XSS attacks-injecting malicious JS code - when loaders and string obfuscators are created with a dangerous load that is then run on the victim's machine.
The list of languages and their capabilities for criminal activity is very wide, and you can create malicious programs using any of them.
However, the team of the Angara SOC Response and Digital Forensics department discovered a criminal group attacking corporate information resources using a malicious program in Python. The hacker group M0r0k T34m (Morok Team) has been active since November 2023. The attackers developed the M0r0k ransomware program, written in Python and using the Fernet algorithm for recursive file encryption. Its special feature is that all the necessary dependencies are unpacked during operation, and the string "MR !" is added to the beginning of each encrypted file without an additional extension. By organizing communication with the management server in a compromised network, hackers use the Ngrok utility to forward port 3389 (RDP), which is an open path to the internal resources of the machine.
Ngrok is often used by the Shadow Wolf group, also known to cybersecurity experts as Shadow or C0met. According to some features of the "handwriting" of the creators of M0r0k, experts have determined that they include Russian-speaking hackers, but the country in which they operate has not yet been established. The malicious code is not similar to the products of other hacker groups, which leads to the conclusion that this is a new group of cyber scammers.
The danger of Morok Team's criminal activities increases due to the fact that they use a unique set of tactics to attack. For example, the initial penetration of a secure network is carried out through vulnerabilities in public applications, after which criminal programmers create accounts that are as similar as possible to existing ones. This gives attackers additional time during which the attack is not detected, and the highest access rights assigned to a fake account allow you to cause maximum damage to the victim of the attack, up to the complete destruction or modification of all infrastructure files.
- Introduction
- What programming languages are most often used for attacks
- Not "Si" united
- Python is one of the least popular languages among malware creators
- Main types of malicious Python code
- Is there a specific strategy for protecting against malicious Python applications?
- Conclusions
Introduction
At the moment, it would be difficult to say that there are completely secure systems and programs. Any of them can hide a potential vulnerability — a mistake made during the development process-the presence of which opens the way to serious consequences. Such errors are most often used by intruders. Information security companies constantly monitor vulnerabilities and update their language security databases. Such monitoring targets include the U.S. Government Vulnerability Database (NVD), security guidelines, GitHub trackers, and open source projects.Note that the AM Live TV project recently discussed how to organize the vulnerability management process in 2024.
Attackers use different programming languages to create malicious code. Some of them are more popular in the criminal environment because of their ease of use, compatibility with certain systems, and the availability of a large number of libraries that can be used to find a solution for a specific task.
What programming languages are most often used for attacks
It is important to keep in mind that a programming language is just a tool. Much more important are the skills and experience of a malicious code developer, their qualifications in the field of operating systems for which the program is being developed, having sufficient knowledge of cryptography, and understanding how network protocols work. For example, if an attacker knows how to complicate detection on an end device and is good at implementing functionality that connects malware to the hacker's servers, then it doesn't matter what language they use. The choice of a programming language as a tool will be determined only by the environment in which the malicious code will run and what tasks need to be solved with it.Nevertheless, according to our observations, confirmed by the experience of our colleagues, the largest number of malicious programs with broad functionality is mainly developed in the C and C++languages. These languages are most often used to create the most serious threats, as they allow you to control system resources, manage them, and create complex patterns that make it difficult to analyze and detect malicious programs in the system. Another reason for the popularity of C and C++ in the criminal environment is that they are ported languages, and they have minimal requirements for dependencies to work correctly. This means that the code can be compiled and adapted to run on different platforms. Cybersecurity experts blame C, among other things, for a large number of examples of undefined behavior, which inevitably leads to security gaps and infrastructure vulnerabilities.
Not "Si" united
The criminal IT community also successfully uses other programming languages. Attackers often use PowerShell to develop malicious scripts in the Windows environment.Windows PowerShell is a platform-based command shell and scripting language developed by Microsoft .NET Framework and .NET Core. PowerShell is present on all Windows devices and is one of the favorite tools of hackers because of its the system and making changes to it. In the vast majority of cases, PowerShell is used by a wide range of specialists from various IT fields to automate tasks, manage the system, create dependencies for the interaction of systems and various solutions, and ensure their correct and smooth operation. Malware developers most often create their own tools / scripts in the PowerShell language in order to move between devices, collect information, gain a foothold in the system, counter detection, and modify system configurations to implement further stages of the attack.
For *nix systems, the language for automating and reproducing the same malicious actions is Bash (Bourne again shell), the standard command shell in most Linux distributions. Programs in this language allow you to manage the system and system configurations, as well as system components and user interfaces and data. These features are particularly attractive to attackers who use them for their own criminal purposes.
The creators of malicious programs have not spared web development, thanks to which users have access to sites and various services published on the Internet. In this area, the most popular JavaScript language deserves attention. Cybercriminals use it when creating scripts, for example, for XSS attacks-injecting malicious JS code - when loaders and string obfuscators are created with a dangerous load that is then run on the victim's machine.
The list of languages and their capabilities for criminal activity is very wide, and you can create malicious programs using any of them.
Python is one of the least popular languages among malware creators
There are programming languages that are much less frequently used by attackers, such as Python. Compared to C and C++, it is not particularly attractive for developing serious malicious functionality. The reason is well known: for the file to work reliably, you need more dependencies here than when using other programming languages, and it is also slower in terms of the speed of performing operations in the system and takes up more space.However, the team of the Angara SOC Response and Digital Forensics department discovered a criminal group attacking corporate information resources using a malicious program in Python. The hacker group M0r0k T34m (Morok Team) has been active since November 2023. The attackers developed the M0r0k ransomware program, written in Python and using the Fernet algorithm for recursive file encryption. Its special feature is that all the necessary dependencies are unpacked during operation, and the string "MR !" is added to the beginning of each encrypted file without an additional extension. By organizing communication with the management server in a compromised network, hackers use the Ngrok utility to forward port 3389 (RDP), which is an open path to the internal resources of the machine.
Ngrok is often used by the Shadow Wolf group, also known to cybersecurity experts as Shadow or C0met. According to some features of the "handwriting" of the creators of M0r0k, experts have determined that they include Russian-speaking hackers, but the country in which they operate has not yet been established. The malicious code is not similar to the products of other hacker groups, which leads to the conclusion that this is a new group of cyber scammers.
The danger of Morok Team's criminal activities increases due to the fact that they use a unique set of tactics to attack. For example, the initial penetration of a secure network is carried out through vulnerabilities in public applications, after which criminal programmers create accounts that are as similar as possible to existing ones. This gives attackers additional time during which the attack is not detected, and the highest access rights assigned to a fake account allow you to cause maximum damage to the victim of the attack, up to the complete destruction or modification of all infrastructure files.
Main types of malicious Python code
Most often, you can find malicious programs in Python, which belong to the following types::- Stealer — Software for collecting user and system data on the victim's device, which is redirected to the attacker's server. A good example of a Python stealer is analyzed by Cybereason in its report on the Snake malware.
- Downloader — a tool for downloading dependencies, malware, and files from third-party Internet resources or servers of an attacker.
- Miner is a malicious computer program that uses the computing resources of a PC to mine cryptocurrencies.
- Encryptor — a tool for malicious cryptographic conversion of files on the target device.
Is there a specific strategy for protecting against malicious Python applications?
There are no methods or rules for protecting devices from malware developed specifically in Python. The most effective solution remains compliance with the general recommendations on digital hygiene, information security requirements and rules. Optimal security measures are known and usually applied by cybersecurity professionals. Let's remind you what they are.- Maximum coverage of end devices with antivirus programs.
- Use of the SPI in conjunction with comprehensive measures, which include monitoring events, receiving regular updates, competent and secure configuration and infrastructure construction.
- Continuous training of employees aimed at improving digital literacy, especially when processing emails from corporate mail with attachments and links.
- Backup critical data.
