The Rust programming language has been gaining popularity over the years due to its many advantages, including its high level of control, memory safety, and flexibility. However, while these features make it a powerful tool for developers, they also make it an attractive language for cybercriminals. In this blog post, we will explore the dark side of the language and why cybercriminals are increasingly using it for malicious purposes.
A systems programming language called Rust is designed to provide low-level control over system resources while ensuring memory safety. This makes it a powerful language for developing high-performance applications that require close control over system resources, such as operating systems, network protocols, and device drivers.
History of Rust Programming Language
The Rust programming language was first introduced in 2010 by Mozilla as a personal project of Graydon Hoare, a Mozilla employee. The initial goal of this language was to create a language that would provide better memory safety and concurrency than existing languages such as C and C++. It’s syntax was heavily influenced by C and C++, but it also incorporated features from other programming languages, such as Haskell and ML. Rust’s development was driven by a community of contributors, and it was open-sourced in 2012.
Rust gained popularity quickly, and it was listed as the programming language that people love using the Stack Overflow Developer Survey in 2016, 2017, and 2018. It has been used in various projects, from web development to game development, and it has been adopted by companies such as Microsoft, Google, and Dropbox. Its success can be attributed to its focus on performance, safety, concurrency, and an active and supportive community.
Examples Of Rust Being Used for Malicious Purposes
Rust is increasingly being used by cybercriminals to develop a wide range of malicious applications. Here are some examples of Rust-based attacks:
- Malware Development – Rust provides cybercriminals with a powerful tool for developing malware. Rust’s low-level control and memory safety features make it an ideal language for developing stealthy and sophisticated malware that can evade detection by traditional security measures.
- Botnets – Cybercriminals are using Rust to develop botnets, which are networks of compromised computers that can be used for a variety of malicious purposes, including spamming, distributed denial-of-service (DDoS) attacks, and cryptocurrency mining. Rust’s high level of control and flexibility make it an ideal language for developing botnets that can evade detection by security measures.
- Phishing Attacks – Rust can be used to develop sophisticated phishing attacks that can trick users into giving up their personal information. Rust’s ease of use and flexibility make it an ideal language for developing phishing tools that can be customized to target specific users and platforms.
- Cryptocurrency Mining Attacks – Cybercriminals are using Rust to develop malware that can hijack victims’ computers to mine cryptocurrency. Rust’s high level of control and memory safety features make it an ideal language for developing stealthy and sophisticated cryptocurrency mining malware.
- Ransomware Attacks – Rust can be used to develop sophisticated ransomware attacks that can encrypt the data of victims and demand payment for the key to unlock the encryption. Rust’s low-level control and memory safety features make it difficult for security researchers to detect and neutralize ransomware attacks developed in Rust.
Which Ransomware Organizations Use Rust?
Rust-written ransomware, which we came across with the BlackCat group that appeared at the end of 2021, persisted throughout 2022. According to an FBI assessment of BlackCat, the group’s high success rate was due to their employment of a Rust-written Ransomware strain.
It is also known as ALPHV, and since its appearance, SOCRadar has documented over 200 victim notifications. It is the first ransomware to be developed in Rust and has seen the most attacks. BlackCat uses the RaaS model. However, to stand out in the cybercrime market, they have varied their business models by offering rewards of up to 90% for their versions. See this article for a thorough analysis of the group and its TTP, IoCs.
Since 2021, the RaaS-based Hive ransomware has been operating. In 2022, they emerged as the second Rust strain and disclosed over 200 victims on their leak sites.
However, we have targeted the Hive ransomware gang and foreign law enforcement officials, who also managed to seize at least two leak sites in January 2023. For thorough variant analysis, TTP, and IoCs on the Hive Ransomware group and RaaS services, see our most recent article.
Researchers from Luna Kaspersky found Luna Ransomware. It was promoted for affiliates who spoke Russian on the dark web. This malware was identified in July 2022 as one of the significant Rust-written malware strains that can infect all Windows ESXi and Linux computers. The combination of x25519 and AES encryptions, which Luna employs, further increases the difficulty of reverse engineering.
The RansomwareExx2 strain, a member of the RansomwareExx family, was identified in the final months of 2022. This string once again demonstrated the dangers of strains written in other languages, as none of the VirusTotal results for two weeks after its initial detection identified it as hazardous.
The group that researchers saw a switch to Rust in the final month of 2022 was the Agenda or Qilin group. There were previously strains they created on Go and tailored for each victim. This gang, which collaborates with RaaS, launched ransomware attacks against numerous nations and industries. The switch from Go to Rust has led to the observation that it is more challenging to reverse engineer and has a lower detection rate than Go variants.
Reasons Cybercriminals Love Rust Programming Language
- A relatively recent programming language called Rust is gaining popularity among developers due to its speed, reliability, and memory safety features. However, cybercriminals also take notice of Rust for its potential to create malware and other malicious tools.
- Rust’s memory safety features make it difficult for hackers to exploit memory vulnerabilities, which is a common tactic used to gain control of a system. However, this same feature also makes it easier for hackers to create malware that is difficult to detect and remove.
- Rust’s speed and performance make it an attractive option for developing malware that can quickly spread across networks and infect multiple systems. It also allows hackers to create more sophisticated attacks evading traditional security measures.
- The open-source nature of Rust and its growing community of developers also provide cybercriminals with easy access to code libraries and resources that can be used to develop new and more dangerous attacks.
- While Rust is not inherently malicious, its features and growing popularity make it a valuable tool for cybercriminals. As developers continue to explore the potential of Rust, the security community needs to stay vigilant and develop new strategies for detecting and mitigating Rust-based attacks.
The Future of Rust and Cybercrime
The growing popularity of Rust among developers means that it is likely to become an increasingly popular language for cybercriminals as well. As it continues gaining popularity, we can expect to see more sophisticated and stealthy Rust-based attacks.
However, Rust’s growing popularity also means that it will likely become a go-to language for cybersecurity professionals. As more cybersecurity professionals become familiar with Rust and its features, we expect to see new tools and techniques developed to detect and mitigate Rust-based threats.
It is important to note that Rust itself is not inherently malicious. Like any programming language, it is a tool that can be employed for both beneficial and detrimental ends. It is up to Rust developers to take responsibility for preventing its misuse by designing secure and trustworthy applications.
Rust is a powerful programming language that is increasingly being used by cybercriminals for malicious purposes. Its high level of control, memory safety, and flexibility make it an ideal language for developing stealthy and sophisticated malware, botnets, phishing attacks, cryptocurrency mining malware, and ransomware attacks. Using Rust for malicious purposes poses several challenges for cybersecurity professionals, including Rust’s inherent security features, its compatibility with security tools, the difficulty of detecting Rust-based attacks, and the need for specialized skills and knowledge to defend against Rust-based threats. However, Rust’s growing popularity also means that it is likely to become a go-to language for cybersecurity professionals as well. As more cybersecurity professionals become familiar with Rust and its features, we expect to see new tools and techniques developed to detect and mitigate Rust-based threats.