A relatively new programming language on the scene, Rust was launched in 2015 and has quickly become a favourite not only for the pleasant experience it offers developers but also for the benefits it affords malware miscreants.
In the most recent 2022 Stack Overflow Developer Survey, Rust was, by far and away, the ‘most loved’ programming language among surveyed developers – a crown it’s claimed for seven years running since it was first released. Perhaps it came as no surprise, then, that Rust was also the language the most number of developers wanted to add to their repertoire, narrowly edging out Python.
This week, Microsoft revealed that the Hive ransomware group’s namesake payload has been almost entirely rewritten in Rust, moving away from Go – another favourite among malware and ransomware authors.
After BlackCat, Hive has become the second ransomware group this year to rewrite its program using Rust. This raises the question of what makes the industry-favourite language so appealing to ransomware gangs, specifically?
Rust’s killer duo of features
Safety first
Like many of the more modern programming languages designed to replace older ones, Rust claims to be “blazingly fast and memory-efficient” – much more than the likes of C and C++.
Microsoft’s analysis agrees, stating Rust offers better memory, data type, and thread safety over other languages. Memory safety is hugely important when writing secure software as memory-unsafe programs can lead to crashes. Ransomware strains also need to remain operational – to continue to lock users out of their systems – in order for the ransom demands to be valid. Memory-unsafe programs are also responsible for the majority of software vulnerabilities in non-malicious software, according to Okta.
Rust is an incredibly safe language thanks to its compiler that outright refuses to compile unsafe code by default, meaning developers who code ransomware using Rust won’t even be able to run it unless the program is guaranteed to run in a stable way.
Evasive manoeuvres
Newer languages Like Rust and Go are thought to be better at disguising the ways in which they work from malware analysts. This, in turn, prevents them from being reverse engineered to release decryptors, which would kill its ability to generate business.
RELATED RESOURCE
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
Again, Rust’s compiler is to thank for this. Due to the comparatively complex way in which Rust code is compiled into machine-readable code, the language makes it difficult for analysts to view the inner workings of the program. Proofpoint said in one analysis that it has observed previous malware strains being rewritten in Rust to avoid detections based on features of the program written in C.
Rust is also a command line-driven language. The newer Rust version of Hive ransomware places different parameters in the command line which means things like the credentials required to access the ransom payment site cannot be accessed by analysts from the individual sample itself. The parameters in Hive are also being constantly updated, Microsoft said, and when coupled with string encryption, makes analysis increasingly difficult.
Examples of malicious Rust programs
Examples of major malware programs written in Rust date back to 2016, shortly after the language was released. Doctor Web researchers discovered a Linux backdoor trojan with functionality limited to just four commands sent over internet chat relay (IRC).
A year later, ESET published details of the TeleBots campaign that targeted Ukraine months before the NotPetya outbreak was observed. It used a pair of backdoors in order to compromise companies in the region, including one that was rewritten in Rust from Python.
As mentioned previously, Proofpoint also published its research into the re-writing of the Buer malware, the Rust iteration of which it named RustyBuer in 2021. The campaign saw the rewritten strain being distributed as part of phishing emails masquerading as shipping companies, and other associated campaigns purporting to be from the likes of logistics company DHL. The emails typically included links to download Microsoft Office documents that used macros to drop the RustyBuer malware - a technique that Microsoft continues to battle against today.
There are also the most recent examples from BlackCat and Hive, the first and second ransomware programs to be re-written in Rust respectively. BlackCat is a prevalent strain of ransomware that prompted the FBI to issue a security advisory warning against it earlier this year. According to Varonis Threat Lab, the group behind BlackCat has actively recruited developers from the now-shuttered REvil, DarkSide, and BlackMatter ransomware organisations – all of which are believed to be Russia-affiliated.
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Can cyber group takedowns last?ITPro Podcast Threat groups can recover from website takeovers or rebrand for new activity – but each successful sting provides researchers with valuable data
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
