The Dark side of Rust programming language

Over the past few years, developers have signaled a greater eagerness to learn and master the Rust programming language, but they aren’t the only ones. Cybersecurity researchers recently found ransomware gangs are now creating or rewriting their malware in Rust.

A December report from security firm Trend Micro finds that a group called Agenda recently released a version of its ransomware rewritten in Rust, and has used this new version to target manufacturing and IT companies. The original version of this crypto-locking malware was written in Go and used to target healthcare and education organizations.

Other ransomware-as-a-service gangs, including BlackCat, Hive and RansomExx, have also deployed malware in Rust, which makes it easier to tailor the code for machines running either Windows or Linux operating systems, Trend Micro report notes.

Ransomware written and compiled in Rust makes it harder to defend against. “At present, its threat actors appear to be migrating their ransomware code to Rust as recent samples still lack some features seen in the original binaries written in the Golang variant of the ransomware,” the Trend Micro researchers write in the report. “Rust language is becoming more popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.”

Many of the features that make Rust an increasingly popular language with developers and coders now make it an attractive language for attackers looking for an added edge to circumvent organizations’ security defences.

Perhaps the two biggest benefits of leveraging Rust are that it provides direct access to hardware and memory. You can write extremely low-level code whereas other languages make it difficult. The other major benefit is the speed at which Rust operates. The language offers high performance while ensuring memory safety,If you're going to create something like ransomware that relies on speed and processing efficiency, Rust is an ideal language to use.”

Rust Never Sleeps

Ironically, Rust is becoming more popular because the language allows developers to create code with fewer security vulnerabilities and bugs compared to some other programming languages.

Rust has many built-in safeguards that prevent you from easily compiling code with some common vulnerabilities in it; this protection addresses some of the long-standing issues with like C and C++ that have led to many buffer overflow and use-after-free vulnerabilities over the years.

Rust is performant and safer to use. It's also rapidly growing among some of the largest software vendors in the industry, so we can expect to see demand for writing, reversing, and securing it grow.

When it comes to programming languages, cybercriminals follow the same trends as legitimate developers, noted Mike Parkin, senior technical engineer.As Rust gained acceptance, criminal gangs took note.

Rust has been gaining in popularity with a lot of developers embracing it, including threat actors who see the same advantages that legitimate coders see. As Rust’s popularity goes up, we’ll see more threat actors using it for development. We saw threat actors working in Golang as well, for example. How much traction it gets with malware developers probably depends on how much traction it gains overall.”

By looking at samples of ransomware written in Rust, analysts note that cybercriminals are creatively using the language for their means. Trend Micro researchers found that the Rust version of Agenda allowed the threat actors to disable Windows features such as User Account Control (UAC), which helps prevent malware from executing with administrative rights. The result is “the inability to run other applications with administrative privileges," according to the report.

Another reason for the growing interest in Rust is the continued proliferation of cloud infrastructure and Internet of Things (IoT) devices. Ransomware gangs want their malware to run on as many platforms and devices as possible, meaning they need to adopt what others are using.

While many languages have good industry adoption, it appears that the new language of several ransomware gangs has been to use Rust as the preferred programming language, which provides good cross-platform support as well as a strong developer community of resources. Even though Rust is a little more complex than some of the alternatives, it has strong performance and good features.

Rust Skills in Demand

With cybercriminals now using Rust, security observers note that organizations need tech professionals who not only know the programming language but also understand the security implications of how Rust-based ransomware can target and damage vulnerable infrastructure.

As part of the ongoing cat-and-mouse game between attackers and defenders, research, reverse-engineering, and detection capabilities also must constantly evolve to account for the new variations in malware as we've done for years. For now, at least, there are fewer tools and professionals highly skilled at reverse-engineering malware written in Rust, so that alone makes it an attractive option for at least a little while.

Rust has many built-in safeguards that prevent you from easily compiling code with some common vulnerabilities in it; this protection addresses some of the long-standing issues with like C and C++ that have led to many buffer overflow and use-after-free vulnerabilities over the years.

“Rust is safer to use and performs well. We can anticipate an increase in demand for developing it, reversing it, and safeguarding it because it is also fast expanding among some of the biggest software manufacturers in the market, Bischoping continued.

Security experts point out that organizations require IT personnel who are knowledgeable about Rust and are aware of the security ramifications of how Rust-based ransomware may target and harm susceptible infrastructure. This is because cybercriminals are now employing Rust.

Rust knowledge is required,to assist in the reverse engineering of malware created in the language. According to Bischoping, “Research, reverse-engineering, and detection capabilities also must constantly evolve to account for the new variations in malware as we’ve done for years. This is part of the ongoing cat-and-mouse game between attackers and defenders.” Rust is an appealing alternative for at least a time since, “for now, at least, there are fewer tools and professionals highly skilled at reverse-engineering malware written in Rust.”