Malware developers and hackers are always looking for new ways and tools to create and deploy malware that can evade detection and analysis by security tools and experts. One of the tools that has been gaining popularity among malware developers and hackers is Rust, a programming language that was created by Mozilla in 2010.
Rust is a low-level language that can run close to the hardware and offer high performance and efficiency. Rust is also a memory-safe language that prevents common errors and vulnerabilities, such as buffer overflows, memory leaks, and null pointers. Rust is also a cross-platform language that can run on any operating system and architecture. Rust can also compile to WebAssembly (Wasm), a binary format that can run on any platform and environment.
In this blog post, we will explore how Rust can be a good fit for creating malware by discussing four aspects: performance, security, portability, and evasiveness.
Performance
One of the advantages of Rust is that it can offer high performance and efficiency for malware development and execution. Rust can leverage native code and hardware acceleration to optimize the speed and power of malware. For example, the 3AM ransomware, which was written in Rust, used the AES-NI instruction set to encrypt files faster. Rust can also reduce the size and resource consumption of malware by using a compact and efficient binary format. For example, the Buer loader, which was rewritten in Rust, reduced its size from 150 KB to 30 KB.
Security
Another advantage of Rust is that it can provide security and isolation for malware development and execution. Rust can prevent common errors and vulnerabilities that may expose or compromise the malware code or data. For example, Rust can prevent buffer overflows that may allow attackers to inject or execute malicious code on the target system. Rust can also provide security and isolation for malware execution by running it in a sandboxed environment. For example, the BlackCat ransomware, which was written in Rust, used the seccomp system call to restrict the access of the malware process to the kernel.
Portability
A third advantage of Rust is that it can provide portability and compatibility for malware development and execution. Rust can run on any operating system and architecture without requiring any changes or modifications to the code. For example, the Hive ransomware, which was written in Rust, could target Windows, Linux, macOS, Android, iOS systems. Rust can also compile to WebAssembly (Wasm), which can run on any platform and environment without requiring any installation or configuration. For example, the Hive ransomware used Wasm to target Linux systems.
Evasiveness
A fourth advantage of Rust is that it can provide evasiveness and stealthiness for malware development and execution. Rust is a relatively new language that can evade the detection and analysis of malware by security tools and experts. For example, many antivirus programs do not recognize or scan Rust binaries or Wasm files. Rust can also obfuscate and encrypt the code and data of malware to make it harder to reverse engineer or decrypt. For example, the Buer loader used XOR encryption and compression to hide its payload.
Conclusion
Rust is a programming language that has been gaining popularity among developers and hackers alike. Being a language for system and low-level development, Rust is a good fit for creating malware for several reasons: performance, security, portability, small size of binaries, and the “surprise” effect of Rust-based malware. 3AM ransomware is just one example of Rust-based malware that was recently detected by security researchers.