Unpacking the Evasive Nature of Rust Binaries

October 16, 2024

Rust in the Wild

Introduction

Rust has rapidly emerged as a go-to language for many developers due to its strong emphasis on safety, performance, and concurrency. However, it’s not just the legitimate software development community that is taking notice of Rust—malware authors are increasingly adopting it to build more resilient and evasive threats. This shift presents a significant challenge for reverse engineers who must now contend with a whole new set of complexities introduced by Rust's design. In this article, we will explore why malware authors are making the switch to Rust and what makes Rust binaries so difficult to analyze. We'll conclude with a case study of a real-world Rust-based malware threat in the wild.

The Language Shift

For many years, C and C++ have been the de facto languages for developing high-performance and low-level tools, including malware. Their ability to interact directly with hardware and offer fine-grained control over system resources made them an attractive choice for developing sophisticated command and control (C2) frameworks and remote access tools. However, these languages come with inherent risks—chiefly around memory safety, as developers must manually manage memory, which can lead to vulnerabilities like buffer overflows and use-after-free errors.

Rust has been gaining traction as an attractive alternative in recent years, offering the same level of control and performance but with a modern design that eliminates many of the security pitfalls of C and C++. Rust enforces strict memory safety, has a powerful concurrency model, and offers extensive tooling support, all while still allowing for low-level optimizations via LLVM. These attributes make Rust a compelling choice for malware developers seeking both efficiency and stealth in their operations.

Rust eliminates this risk by enforcing memory safety at compile time through its ownership model, which ensures that memory is managed safely and efficiently. This drastically reduces the chances of bugs that could crash a malware payload or make it more detectable by defensive measures. Rust also excels at handling concurrency—an essential feature for modern malware that needs to manage multiple threads or handle several simultaneous network connections without introducing race conditions or data inconsistencies.

Challenges in Reverse Engineering Rust Binaries

Complex and Optimized Code Generation

Rust binaries are notoriously difficult to reverse engineer due to their aggressive optimization techniques. By leveraging LLVM's optimization passes, Rust generates code that is highly optimized and often obfuscated. Techniques like link-time optimization (LTO) and codegen-units restructure binaries in a way that breaks traditional reverse engineering patterns. Minor changes to the source code can result in entirely different binaries, complicating the creation of reliable signatures for detection.

For reverse engineers, this means that the control flow of Rust-based malware is often highly non-linear, making it difficult to trace or predict. As a result, analyzing a Rust binary often requires significantly more time and effort compared to malware written in languages like C or C++.

Obscured Standard Library and Abstraction Layers

Rust’s standard library introduces another level of complexity. Features like iterators, pattern matching, and closures generate intricate code paths that obscure the true intent of the program. These high-level abstractions translate into low-level machine code that is difficult to map back to specific operations during static analysis.

Malware authors can leverage these abstractions to hide malicious behavior deep within seemingly benign code, making it more challenging for reverse engineers to identify the real payload. Furthermore, the abstractions add noise to the control flow graph, creating extra layers of complexity that make binary analysis more difficult.

Unconventional Control Flow and Hidden Dependencies

Rust's advanced control flow mechanisms, such as match statements and trait-based polymorphism, result in non-traditional and highly optimized control flows in the binary. These control flows, coupled with Rust’s trait system, make it difficult for reverse engineers to follow execution paths or anticipate the binary’s behavior.

For example, Rust’s use of async/await for asynchronous operations can create convoluted call stacks and hidden dependencies that traditional debugging tools struggle to unravel. Malware authors can exploit this by introducing asynchronous behavior into their malware, further complicating static analysis and increasing the time it takes for reverse engineers to dissect the payload.

Case Study: History of Rust-based Malware in the Wild

Rust-based malware is not just theoretical. In recent years, there have been several high-profile examples of malware leveraging Rust to evade detection and analysis.

BlackCat Ransomware (ALPHV)

  • Date Discovered: November 2021
  • Threat Actor/Group: ALPHV (BlackCat Group)
  • The BlackCat ransomware group, also known as ALPHV, emerged in late 2021 and quickly became notorious for its advanced and customizable ransomware-as-a-service (RaaS) operation. The group operates similarly to other major ransomware actors like REvil and DarkSide, offering its ransomware to affiliates who carry out attacks in exchange for a percentage of the ransom payments. This affiliate model allows a wide range of cybercriminals with varying technical skills to participate in attacks, making BlackCat a significant threat to multiple industries, including healthcare, manufacturing, and finance.
  • BlackCat’s operators also stand out for their aggressive negotiation strategies, using dark web leak sites to publicly shame non-compliant victims and often launching follow-up attacks.
  • There is evidence that members of ALPHV may have previously worked with other high-profile ransomware groups, such as DarkSide and REvil. The technical sophistication of BlackCat, along with operational patterns reminiscent of these prior groups, suggests that the actors behind it are experienced and well-funded. BlackCat affiliates have been responsible for major incidents worldwide, including attacks on critical infrastructure and multinational corporations, leveraging their Rust-based ransomware for its enhanced stealth and efficiency.
  • Malware Details:
  • BlackCat, also known as ALPHV, is a highly sophisticated ransomware strain that has gained attention for its modern, Rust-based design. As one of the first ransomware families written entirely in Rust, BlackCat stands out for its cross-platform compatibility, allowing it to effectively target both Windows and Linux systems. This flexibility makes it an ideal tool for widespread attacks across different network environments, significantly broadening its operational scope for threat actors.
  • Malware Scorecard:

Hive Ransomware

  • Date Discovered: March 2022
  • Threat Actor/Group: Hive Ransomware Group
  • Hive ransomware operates as a Ransomware-as-a-Service (RaaS) platform, enabling various cybercriminal affiliates to use the ransomware for extortion campaigns in exchange for a share of the ransom. Hive has been linked to attacks on critical industries, including healthcare, energy, and finance. One of its more notorious attacks was against the healthcare sector, during which Hive disrupted hospital operations, further emphasizing its willingness to target sensitive industries. One of the key actors associated with Hive is DEV-0237, a ransomware affiliate known to have deployed Hive in a series of high-profile attacks.
  • Malware Details:
  • In mid-2022, Hive ransomware underwent a significant transformation with its complete codebase being rewritten from Go to Rust, similar to other advanced ransomware families like BlackCat. This migration to Rust brings several advantages that enhance Hive's capabilities and allows it to be highly modular and adaptable.
  • Hive incorporates various evasion tactics, such as encrypting strings and using runtime decryption, which further complicates analysis. Each variant can have different decryption routines, making detection via static analysis difficult. Hive also stops critical services, including security tools like Microsoft Defender, to ensure its ransomware activities go undetected.
  • Malware Scorecard:
Malware Scorecard for HIVE Ransomware

Agenda Ransomware

  • Date Discovered: September 2022
  • Threat Actor/Group: Agenda (also known as Qilin)
  • Agenda, also known by the alias Qilin, is a ransomware group that operates using the Ransomware-as-a-Service (RaaS) model, allowing affiliates to carry out attacks using the ransomware in exchange for a share of the ransom payments. Agenda has targeted several critical sectors globally, including healthcare, education, and more recently manufacturing and IT industries. Initially, Agenda's ransomware was written in Go, but it has since shifted to Rust, enabling more efficient and stealthy attacks.
  • The group often customizes its ransomware based on the targeted victim, appending unique identifiers, such as company IDs, to encrypted files, making the malware more difficult to detect and decrypt without paying the ransom. Agenda’s use of leaked account credentials further enhances its targeting efficiency, allowing for more impactful breaches.
  • Malware Details:
  • The Rust variant of Agenda ransomware highlights the growing trend of ransomware groups transitioning to Rust for several key benefits. Like other Rust-based ransomware, Agenda's use of Rust allows it to target both Windows and Linux systems, extending its reach and making it more adaptable in diverse environments, such as VMware vCenter and ESXi servers.
  • Agenda’s Rust malware also leverages intermittent encryption, a technique designed to speed up the encryption process and reduce detection by security tools. This tactic ensures that only portions of a file are encrypted, allowing the ransomware to operate quickly and with a lower likelihood of triggering alarms.
  • Agenda includes VM cluster termination and the ability to disable security services like antivirus software, ensuring maximum damage before detection. Its ability to manipulate virtual environments, coupled with in-memory execution, makes it even more difficult for traditional security defenses to stop.
  • Malware Scorecard:
Malware Scorecard for Agenda

Rust-based malware is not just being used for the latest ransomware attacks, it’s also starting to be used by other threat actors as part of their post exploitation toolkits. Some of the latest examples of that are below:

Freeze.rs and DDGroup

  • Date Discovered: May 2023
  • Threat Actor/Group: DDGroup
  • The group employs sophisticated techniques to evade detection, such as manipulating Event Tracing for Windows (ETW) and using SYK Crypter to obfuscate and encrypt payloads.
  • DDGroup is a long-established threat actor group that has been active in various cyber campaigns. They are known for exploiting both open-source tools and proprietary software to distribute advanced malware payloads. Recently, DDGroup adopted Freeze.rs, a legitimate Rust-based red teaming tool originally designed to bypass Endpoint Detection and Response (EDR) systems for ethical hacking. The group repurposed Freeze.rs for malicious activity, using it to discreetly inject shellcode and execute payloads like XWorm RAT and Remcos RAT.
  • DDGroup often launches phishing campaigns targeting European and North American entities. These campaigns typically involve malicious PDFs or LNK files that trigger a series of actions, leading to the execution of a PowerShell script and the activation of Freeze.rs for memory injection.
  • Malware Details:
  • Freeze.rs, written in Rust, allows DDGroup to bypass userland EDR hooks by directly interacting with NT syscalls. This technique enables them to execute shellcode without triggering traditional defenses. Rust's memory safety and low-level control features make it an ideal choice for performing these complex operations while evading detection.
  • Additionally, Freeze.rs leverages a suspended process technique, allowing the malware to inject shellcode into a clean process space before security defenses, like antivirus or EDR solutions, are fully loaded. This process is critical for ensuring that injected payloads remain undetected.
  • Malware Scorecard:
Malware Scorecard CROCK.DLL

ExeWho2

  • Date Discovered: December 2023
  • Threat Actor/Group: Various (Red Teaming Tool)
  • Malware Details:
  • ExeWho2 is a Rust-based command-line tool initially developed for red teaming purposes but has been discovered in use by malicious actors. It is designed to download and execute obfuscated payloads on compromised systems. The tool was found while researchers were conducting threat hunting on open directories and analyzing publicly available data. ExeWho2 appears to be an evolution of Exe_who, a similar red-teaming tool, with enhancements that make it more effective for payload delivery.
  • While ExeWho2 was designed for legitimate red teaming, its source code has been used by attackers to distribute obfuscated malware, making it a potential tool for advanced persistent threat (APT) actors. The flexibility it offers in preparing and executing payloads makes it appealing for delivering sophisticated malware while avoiding detection.
  • ExeWho2 represents a powerful tool that has crossed over from red teaming into malicious use, leveraging Rust’s strengths to facilitate stealthy, efficient payload delivery.
  • Malware Scorecard:
Malware Toolkit ExeWho2

The shift by threat actors toward Rust represents a strategic evolution aimed at leveraging the language's inherent advantages in crafting sophisticated and evasive malware. The transition is primarily driven by Rust's cross-platform compatibility, enabling threat actors to develop malware that targets both Windows and Linux environments with a single codebase, as seen in ransomware families like BlackCat and Hive. This increases the operational scope of their campaigns while minimizing the overhead of maintaining multiple platform-specific variants.

Tools like Freeze.rs and ExeWho2 demonstrate how malicious actors exploit Rust’s system-level control to bypass Endpoint Detection and Response (EDR) systems and execute payloads from memory, minimizing their detection footprint.

Finally, the obfuscation and encryption capabilities offered by Rust's ecosystem allow attackers to hide payloads, further complicating reverse engineering efforts. As malware written in Rust continues to evolve, this trend poses a significant challenge for defenders, requiring security teams to develop advanced detection mechanisms capable of handling Rust's unique characteristics.

Conclusion

Rust's rise in popularity among malware developers is not coincidental. Its safety features, performance optimizations, and flexibility make it a formidable tool for creating stealthy and resilient malware. For reverse engineers, this trend presents a new set of challenges that require not only a deep understanding of the language but also advanced tools and techniques to overcome the inherent complexity of Rust binaries.

Looking for Cybersecurity Solutions for your organization? Contact us today for a complimentary cybersecurity consultation.

Find the perfect cybersecurity solution for your needs

Looking to solve a specific problem? Ironwood’s team of experts have experience across many different industries and organizations. Contact us to learn how we can help.

Let's Talk