Kernels, drivers, and other critical components of IT systems are being rewritten en masse in Rust. This programming language is taking over from C and C++ as a reliable low-level programming language. Malware is also increasingly relying on Rust, with all the consequences that entails. What challenges does this pose for security researchers and organizations? And are we close to a solution?
Rust is still a rising star in the constellation of programming languages. It combines efficiency with reliability, whereas C and C++ of yesteryear frequently reveal vulnerabilities due to errors in memory management. It is precisely this advantage that attracts attackers who exploit such vulnerabilities. Another advantage is that Rust code is extremely difficult to analyze.
A black box full of dangers
Last week, Microsoft explained why security researchers are having such a hard time with Rust-based malware, but it also offered a solution. More on that later, but first let’s take a look at the challenges research teams are facing. The security of Rust code is ensured by built-in memory safety functionality and concurrency handling. The latter prevents different commands from trying to write to the same piece of memory. This prevents a category of vulnerabilities, but complicates security analyses.
It is difficult to recognize when attackers use standard Rust libraries in their malware and which components actually perform malicious actions. This means that it is often unclear what a piece of malware is trying to do. The biggest danger here (and the ultimate goal of cyber attackers) is that malware is simply not recognized as such by security systems and human inspectors.
Fortunately, Microsoft’s Threat Intelligence Center has mitigated this black box nature of malware written in Rust. RIFT (Rust Interactive Function Tool) is a tool for unraveling the workings of Rust code. Specifically, it identifies library code within Rust malware. This eliminates an entire step that security researchers previously had to take with this category of malicious software. Microsoft has made the tool open source, allowing work to be done on expanding its functionality and compatibility with Linux or other operating systems, for example.
A new reality
Microsoft outlines a timeline of Rust usage in notorious malware types, showing why a tool like RIFT is so important. In December 2021, BlackCat was found to be using Rust in its ransomware. In the years that followed, cybercriminals and state-sponsored attackers also completed their migration to Rust. This offers advantages for malware variants that were previously written in high-level languages, as Rust is much less readable than Python, for example, and is many times more efficient.
Microsoft’s decision to make the analysis of Rust-based malware more accessible now is therefore very timely. It cuts off attackers who may have spent months or years working on the ‘right’ Rust implementation for existing malware, or those who are working with such malicious code for the first time.
Although reverse engineering is more difficult than ever, the defensive side of the cybersecurity world continues to respond to this development. Another advantage is that the precise functioning of Rust code is now a step closer to being recognized, which continues the interaction between open-source contributors. Microsoft would like to thank the developers of the Diaphora project, who developed an open-source diffing tool, a program that analyzes the differences between two computer files. Within a few months or years, another open-source project that has used RIFT may follow suit and thank Microsoft.
Read also: Why the Rust programming language keeps getting more popular