Over the past few years, developers have signaled a greater eagerness to learn and master the Rust programming language, but they aren’t the only ones. Cybersecurity researchers recently found ransomware gangs are now creating or rewriting their malware in Rust.
A December report from security firm Trend Micro finds that a group called Agenda recently released a version of its ransomware rewritten in Rust, and has used this new version to target manufacturing and IT companies. The original version of this crypto-locking malware was written in Go and used to target healthcare and education organizations.
Other ransomware-as-a-service gangs, including BlackCat, Hive and RansomExx, have also deployed malware in Rust, which makes it easier to tailor the code for machines running either Windows or Linux operating systems, Trend Micro report notes.
Ransomware written and compiled in Rust makes it harder to defend against. “At present, its threat actors appear to be migrating their ransomware code to Rust as recent samples still lack some features seen in the original binaries written in the Golang variant of the ransomware,” the Trend Micro researchers write in the report. “Rust language is becoming more popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.”
Many of the features that make Rust an increasingly popular language with developers and coders now make it an attractive language for attackers looking for an added edge to circumvent organizations’ security defenses, said Andrew Hay, chief operating officer at Denver-based LARES Consulting.
“Perhaps the two biggest benefits of leveraging Rust are that it provides direct access to hardware and memory. You can write extremely low-level code whereas other languages make it difficult. The other major benefit is the speed at which Rust operates. The language offers high performance while ensuring memory safety,” Hay recently told Dice. “If you're going to create something like ransomware that relies on speed and processing efficiency, Rust is an ideal language to use.”
Rust Never Sleeps
Ironically, one reason Rust is becoming more popular is the language allows developers to create code that has fewer security vulnerabilities and bugs compared to some other programming languages.
“Rust has many built-in safeguards that prevent you from easily compiling code with some common vulnerabilities in it; this protection addresses some of the long-standing issues with like C and C++ that have led to many buffer overflow and use-after-free vulnerabilities over the years,” Melissa Bischoping, director of endpoint security research at Tanium, told Dice.
“Rust is performant and safer to use. It's also rapidly growing among some of the largest software vendors in the industry, so we can expect to see demand for writing it, reversing it, and securing it grow,” Bischoping added.
When it comes to programming languages, cybercriminals follow the same trends as legitimate developers, noted Mike Parkin, senior technical engineer at Vulcan Cyber. As Rust gained acceptance, criminal gangs took note.
“Rust has been gaining in popularity with a lot of developers embracing it, including threat actors who see the same advantages that legitimate coders see. They like to work in what works, what they know and what’s easy,” Parkin told Dice. “As Rust’s popularity goes up, we’ll see more threat actors using it for development. We saw threat actors working in Golang as well, for example. How much traction it gets with malware developers probably depends on how much traction it gains overall.”
By looking at samples of ransomware written in Rust, analysts note that cybercriminals are creatively using the language for their means. Trend Micro researchers found that the Rust version of Agenda allowed the threat actors to disable Windows features such as User Account Control (UAC), which helps prevent malware from executing with administrative rights. The result is “the inability to run other applications with administrative privileges," according to the report.
Another reason for the growing interest in Rust is the continued proliferation of cloud infrastructure and Internet of Things (IoT) devices. Ransomware gangs want their malware to run on as many platforms and devices as possible, meaning they need to adopt what others are using, said Joseph Carson, chief security scientist and advisory CISO at Delinea.
“While many languages have good industry adoption, it appears that the new language of several ransomware gangs has been to use Rust as the preferred programming language, which provides good cross-platform support as well as a strong developer community of resources,” Carson told Dice. “While Rust is a little more complex than some of the alternatives, it has strong performance and good features.”
Rust Skills in Demand
With cybercriminals now using Rust, security observers note that organizations need tech professionals who not only know the programming language but also understand the security implications of how Rust-based ransomware can target and damage vulnerable infrastructure.
Bischoping noted that tech pros need to know Rust to help reverse-engineer the malware written in the language. “As part of the ongoing cat-and-mouse game between attackers and defenders, research, reverse-engineering, and detection capabilities also must constantly evolve to account for the new variations in malware as we've done for years,” Bischoping added. “For now, at least, there are fewer tools and professionals highly skilled at reverse-engineering malware written in Rust, so that alone makes it an attractive option for at least a little while.”
Bud Broomhead, CEO of security firm Viakoo, says that, as Rust gets more popular with developers and cybercriminals, organizations need tech pros on staff who understand the language and how it is deployed to make applications more secure. It’s also essential to understand how malicious actors can use a core set of techniques to create their malware.
“Rust itself is inherently more secure and efficient; it may give developers an advantage against cybercriminals, even if those same threat actors themselves use Rust,” Broomhead told Dice. “Just like Java many years ago, organizations will look for the most efficient way to develop functions that can be used across multiple operating systems and device types. The wide adoption of Rust from web browsers, mobile operating systems, and traditional IT systems shows it is a job skill in demand currently, and likely for many years.”