To Code or Not to Code? Cybercriminals and the world of programming

To Code or Not to Code? Cybercriminals and the world of programming
Photon Research Team
Read More From Photon Research Team
November 12, 2020 | 9 Min Read

If you keep a pulse on the technology sector or have take note of billboard ads in any urban area you may be familiar with the rise of coding bootcamps and the #LearnToCode movement. To forward your career in many competitive sectors there is the question of “should Iearn to code?”— including those in careers as cybercriminals. 

While there’s been an increase in “as-a-service” offerings,  which to an extent has removed the need for in-depth programming knowledge, most cybercriminals still need some basic understanding of programming. For one thing, it helps boost credibility: Many threat actors look down on those who are unable to code. They also need to code in order to configure and make use of ready-made scripts and source codes. So, cybercriminals frequent dedicated programming sections on forums to discuss which coding languages to use for certain tasks; to share tools scripts, and methods; and to ask for help with tricky scripts. 

This blog will explore cybercriminals’  dark web discussions about programming languages,  from beginners to advanced, and how they utilize various coding languages for specific purposes. We’ll finish with a look at the up and coming programming languages for cybercriminals, and the need to continually adapt and innovate through code to overcome security operations. If cybercriminals don’t keep up to speed, they run the risk of losing their efficacy and social credibility as a threat actor.

Python and C: Beginning level programming for cybercriminals

A knowledge and understanding of programming languages is crucial if a cybercriminal wants to establish street cred and be viewed as a serious threat actor within the community. Despite no-code tools being available for almost any need on cybercriminal platforms, there is an unspoken expectation of cybercriminals to have some basic level of programming knowledge. This basic knowledge of coding enables them to customize those existing tools or create their own tools and malware to achieve greater criminal gains.

Cybercriminals just starting their programming journey often use programming subsections on forums to learn how to start, the top question being, “which programming language to learn first?”

RapidForums
RaidForums user asking about programming languages

Python for beginners:

Python is often recommended as it’s easy to learn and allows beginners to “focus on programming fundamentals” before moving on to more complex programming languages. Python also has large applicability—according to one user on the English-language cybercriminal forum RaidForums, Python is “flexible with what you can do and used to multiple different things, even web development [sic]”.  Threat actors have also commented that Python can be used for creating botnets, malware, scripts targeting servers, password changers, and even scripts for “randomizing pictures” (which allow users to alter a picture’s metadata, change the image size, and add random filters). 

The C’s for intermediates:C-languages: C, C+, C++, and C# are also commonly recommended. While C++ is seen as more difficult to learn than the other C’s and Python, forum users have commented that although it has a steep learning curve, it makes it exponentially easier to learn additional, niche programming languages later on. A RaidForums user commented that beginners in C++ will “learn a lot of programming concepts that are essential for making good programs and writing code in general”. Like Python,  the C’s also have extensive applicability. Forum users mentioned they have used C++ for a variety of purposes, including creating botnets, malware, various configurations, checkers, and embedded web servers. One member of the Russian-language cybercriminal forum Exploit emphasized: “if the problem is just to choose [a programming language] – choose C++ […] Statistically, best products are written on C++” .

A note on choice:

Experienced users often point out that beginners should begin with the end in mind and choose programming languages based on what they intend to accomplish. When asked to recommend a beginners’ language, one RaidForums user commented: “it depends on your goal. Why do you want to learn to program? Build websites for fun? Automate your current job? Change careers? The answer depends on your goals”. In a different thread, another experienced user suggested:  “C, Winapi, NativeApi, drivers – if you want to be a system programmer, Java or C# – if you want to work in big corporations, Python – for prototyping your algos and proof of concepts.”

Java, Kotlin, Python, PHP, and C#: Advanced level programming for cybercriminals

For more technically-advanced cybercriminals, there are dedicated subsections on forums for different programming languages, including Python, the C’s, PHP, Perl, .NET, JavaScript, HTML, and Delphi.  

Programming section in Altenen Forum
Programming section on the English-language cybercriminal forum Altenen

These subsections are mostly used to ask which programming language would be best for their use case. For instance, one Exploit member asked what to use for “Android development” and said; “Honestly i hate java, seems to be that kotlin have better syntax. would it be better to learn kotlin? for malicious purposes of course.” 

Though they did not specify their purpose and intent, given the mentions of Kotlin and Java—programming languages commonly used for Android app development—they are most likely needing guidance for development of malicious Android apps. One respondent suggested that they should start with Java, and then learn Kotlin, as they would need “underlying java knowledge” to write “good code” in Kotlin. 

Another use case of these subsections is to request scripts written in specific programming languages or share snippets of code that are difficult to get right. For example, one Exploit member asked where they could find “ready-made scripts for randomizing a picture in Python”, specifying their desired functionalities for the script, to which another user suggested a specific GitHub repository. Another Exploit member asked for “any and all malware coded in C# that I can study”, to which four other users replied with download links to malware written in C#, or links to Github repositories with content relating to malware written in C#. 

Finally, these subsections are often utilized to share or sell programming scripts, methods, or tutorials. We’ve observed Exploit users advertising a botnet service written in C++, a Nulled user sharing a link to a “library” they created to help users create “checkers” in C#. Or another Nulled user posting tutorials on how to make “a simple Email bomber” with PHP and HTML, and a Cracked TO user sharing a “basic Discord bot” written in Javascript. 

Nulled user sharing tutorial on how to make an “Email bomber”

Rust, Python, and C++: The future of cybercriminal programming languages?

FutureProgramming
June 2020- Torum user asking about the future of programming languages

Given their long-standing popularity among cybercriminals, the C’s and Python were mentioned by several forum users as their go-to programming languages moving forwards. One user mentioned several languages they thought would be most popular over the next ten years, including C++, Java, GO, and ASM, adding “when it comes to cybersecurity, more languages you know, better off you are”.  

Interestingly enough, several users highlighted the relatively obscure programming language Rust as the programming language  of the future. One user said that, “sure hope rust gets more popular […] there is already an operating system made in rust called redox, you should for sure check it out. Of course, It is nowhere near as feature-rich and stable as linux, but […] it is still pretty amazing that you can code an entire operating system in one language”. Another user opined that “Rust will become popular eventually. I heard quite a lot of companies who have their code base written in C want to transfer it to Rust. So I would have definitely given Rust a shot.”

A highlighted benefit of Rust is its superior obfuscation capabilities and memory capabilities compared to that of C or C++. Rust is preferred not only by cybercriminals but also Microsoft’s Security Response Centre for its memory capabilities. In a RaidForums thread listing a long list of C++ features, another forum user simply replied “Rust is better haha, it has better memory management”. A previous Torum user supported this, saying “Concerning the near future, I personally see Rust (or maybe another language focused on memory safety) being used to code a new generation of OSes, drivers, software etc…” Whether these capabilities will be enough to dethrone the more popular programming languages such Python and C++ remains to be seen. 

Closing thoughts:

The ever-accelerating speed with which system and security behavior solutions are being developed has increased the need for threat actors to learn and develop their programming skills. And while there are many ready-made and no-code tools available for threat actors to purchase for almost any given purpose, there is always the risk that the tools will be identified, analyzed, and incorporated into security solutions—rendering them detectable and less effective. Threat actors who know how to program therefore have an inherent advantage in being able to create bespoke tools that can evade security solutions for longer periods of time. If they don’t learn to code, both their efficacy and social credibility as a threat actor will be seriously diminished.

“Call to Action”

Need a quick overview on the dark web or want to understand monitoring of criminal forums and market places? See the dark web defined and a short history of dark web monitoring..

Looking to try on a dark web monitoring service? Test our dark-web monitoring software here.

Interested in which countries cybercriminals come from and what national languages they speak? See gender and nationality in the cybercriminal world.

Broadly interested in more cybercrime and dark web resources? Explore more articles and subtopics here.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

SeachLight’s Exposed Document Alerts: Uncover the Critical, Faster

SeachLight’s Exposed Document Alerts: Uncover the Critical, Faster

November 23, 2020 | 5 Min Read

BACKING UP...INTO A DITCH I am a terrible...
Holiday Cybercrime: Retail Risks and Dark Web Kicks

Holiday Cybercrime: Retail Risks and Dark Web Kicks

November 19, 2020 | 7 Min Read

The holidays are right around the corner,...
ShadowTalk Update: RegretLocker, OceanLotus, Millions Seized in Cryptocurrency, and more!

ShadowTalk Update: RegretLocker, OceanLotus, Millions Seized in Cryptocurrency, and more!

November 16, 2020 | 2 Min Read

ShadowTalk hosts Stefano, Kim, Dylan, and...
Work Smarter, Not Harder: The Evolution of DDoS Activity in 2020

Work Smarter, Not Harder: The Evolution of DDoS Activity in 2020

November 10, 2020 | 10 Min Read

Ransomware operations have undoubtedly...