As malware hits Rust, new countermeasures emerge

In keeping with the cat-and-mouse nature of cybersecurity, threat groups have begun writing their malware in modern programming languages ​​in recent years to exploit their cross-platform capabilities and better evade antivirus and other security tools.

As more and more malicious code is written in Go, Python and other languages, Rust increasingly seems to be the language of choice for many criminals moving away from C and C++. In a recent list of dangerous malware variants, cybersecurity firm ReliaQuest included the growing number of information stealers – such as Fickle Stealer and Rusty Stealer – written in Rust.

“Discussions about the most effective malware programming languages ​​in online cybercriminal forums have found that users prefer Rust because of its ability to integrate C and C++ code and its difficulty to reverse engineer,” wrote Hayden Evans, cyberthreat intelligence researcher at ReliaQuest, in a blog post. He noted that from the beginning of 2022 to August, the number of posts in online cybercriminal forums discussing Rust-based information-stealing malware increased by 2,953%.

Cybersecurity companies SentinelOne and Intezer want to address this problem and have started a collaborative project called OxA11C, which they hope other programmers will join in to develop a method to simplify the process of reverse engineering Rust.

Analyzing malware is already difficult – it requires investigators to determine the intent of compiled code without having the source code on hand. And when this happens with malware based on a new language, the challenge becomes even greater, said Juan Andrés Guerrero-Saade, Associated Vice President of Research at SentinelLabs, the research arm of SentinelOne.

“Our tools, which are already complex and vulnerable, often break when faced with new languages ​​like Rust, which introduce novel ways to structure data, manage memory and return values,” Guerrero-Saade told The New Stack. “These fundamental changes make reverse engineering more difficult and make it harder to understand the intent of the malware developers.”

“Each new language not only requires us to update our tools, but also presents us with the challenge of discovering exploitable quirks in the language itself. Without these adjustments, attackers gain a significant advantage by being able to hide their malware in a confusing jumble of incomprehensible code.”

The challenge of reverse engineering

Another challenge is that the community of developers working on reverse engineering methods is small compared to those developing programming languages ​​and frameworks, says Guerrero-Saade, calling reverse engineering tools “miracles of software development” that require constant maintenance and innovation to keep up with the growing number of languages, compiler optimizations and architectures.

“As fundamental concepts of software development evolve, reverse engineering approaches must adapt with far fewer resources,” he said. “Rust introduces its own ambitious programming paradigm – with new challenges in memory management, data structures, and the way functions process data in binary code – widening the gap in our ability to effectively analyze compiled Rust binaries and increasing the likelihood that Rust-based malware will slip through undetected.”

SentinelOne and Intezer, which presented the OxA11C project at the recent Black Hat conference, expect to have a clearer understanding of the Rust malware ecosystem by year's end, according to Guerrero-Saad. The companies hope that a community-wide collaborative approach will accelerate the development and availability of simplified Rust reverse engineering solutions by overcoming the relative lack of developers focused on such tools.

SentinelOne and Intezer already work with binary code analysis firms Hex-Rays and Vector35, whose services include reverse engineering, vulnerability analysis and custom software.

A “unified” response to the Rust malware

Jason Soroko, senior vice president of product at cybersecurity company Sectigo, told The New Stack that the lack of mature reverse engineering tools for Rust and other newer programming languages ​​adds another layer of obfuscation to malware and is another reason why cybercriminals are turning to them.

“While there are some efforts to combat Rust-based threats, such as community-driven open source projects and research from academic institutions, the collaborative approach of the SentinelOne and Intezer initiative stands out,” Soroko said. “Their focus on developing accessible tools and encouraging community engagement provides a more unified and effective response to the challenges posed by Rust malware.”

In addition, such collaboration is another step toward standardizing the analysis of new programming languages ​​used by threat actors, he said, adding that companies must keep in mind that “the open source tools designed to reverse engineer Rust binaries can also be used by malicious actors to analyze legitimate Rust-based software.”

Rust is becoming increasingly popular

Rust has rapidly gained popularity since the first version was released in 2015. As of Q3 2023, about 4 million developers – who call themselves Rustaceans – have adopted the language, tripling their numbers in the past two years. According to Stack Overflow's annual developer survey, about 17.6% of those not using Rust in 2022 said they plan to start using it, citing its security, concurrency, and performance features.

In Stack Overflow's survey published in July, Rust emerged as the most admired language, named by just over 82% of developers.

Well-known IT companies such as Microsoft, Amazon, Google and Meta have already adopted it, and federal agencies such as CISA (Cybersecurity and Infrastructure Security Agency) and DARPA (Defense Advanced Research Projects Agency) are urging programmers to switch from C and C++ to Rust and other modern, memory-safe languages.

According to CISA, up to two-thirds of all software vulnerabilities are due to insufficient memory-safe coding. And DARPA, the U.S. Department of Defense's research and development arm, announced its TRACTOR (Translating All C to Rust) program earlier this month, which uses large-scale language models and other machine learning techniques to automate many of the tasks required to rewrite C and C++ code in Rust.

Cybercriminals quickly take over Rust

Nicole Fishbein, a security researcher at Intezer, said the cybersecurity community supports the move as a way to close memory security vulnerabilities.

“Our concern is that malware developers are adopting Rust more enthusiastically than the rest of us and our tools can't keep up,” Fishbein told The New Stack. “The approach we're developing is designed to analyze Rust-based malware and enable the cybersecurity community to deal with these new threats.”

There has been a learning curve for security professionals in developing tools to analyze new programming languages ​​— and that curve has opened up numerous opportunities for attackers, says Ngoc Bui, a cybersecurity expert at Menlo Security.

“Rust is also cross-platform, meaning it can attack Windows, Linux and ESXi machines simultaneously,” Bui told The New Stack. “This efficiency is particularly attractive in the ransomware space, where maximizing impact is a key goal.”

“AlphaGolang” success model

SentinelOne and Intezer hope that the OxA11C project will be as successful as SentinelLab's similar efforts to combat the rise of malware created with Go. The result was the development of the reverse engineering method called “AlphaGolang.”

“AlphaGolang showed us that these paradigm shifts in programming are not necessarily a bad thing,” said SentinelLabs' Guerrero-Saade. “After understanding the peculiarities of Go and adapting our tools to exploit them, many reverse engineers found that Go-based malware is much easier to analyze than more established languages ​​like C++.”

He added: “AlphaGolang has helped increase competency and enable more reversers and malware analysts to sift through Go-based malware without having to become niche experts.”