Cybercriminals and nation-state actors are rapidly embracing Rust as a platform for malware, complicating life for defenders. Rust’s efficiency, type safety, and robust memory management, which make it a favorite for legitimate developers, also grant attackers new ways to evade detection and frustrate analysis efforts.
Why Rust Malware Poses Unique Hurdles
Unlike older malware written in languages like C++, Rust-based threats such as BlackCat and AsyncRAT are significantly harder to analyze. Several factors contribute to this:
- Extensive Static Linking: Rust malware embeds all dependencies, ballooning executable size and function count well beyond that of traditional C++ binaries.
- Obscured Malicious Logic: Analysts must sift through vast amounts of standard library code to find attacker-authored routines.
- Lack of Metadata: Without clear compiler or dependency information, distinguishing custom code from libraries is error-prone and time-consuming.
Introducing RIFT: Streamlining Rust Malware Analysis
To address these challenges, Microsoft’s Threat Intelligence Center has introduced RIFT, an open-source toolkit designed to automate the identification of library code in Rust malware. By integrating with IDA Pro and leveraging both FLIRT signatures and binary diffing, RIFT enables faster, more accurate analysis.
Core Components of the RIFT Toolkit
- RIFT Static Analyzer: An IDA Pro plugin that extracts compiler version, dependencies, architecture, and OS from binaries, storing the data in a structured JSON format.
- RIFT Generator: A Python tool that automates the download of the correct Rust toolchain and dependencies, generates FLIRT signatures, and drives binary comparison workflows using tools like Hexray’s FLAIR and Diaphora.
- RIFT Diff Applier: An IDA Pro plugin that applies diffing results, allowing analysts to label functions based on similarity thresholds and demangled names, either automatically or manually.
Transforming the Analyst Workflow
RIFT empowers analysts by automating the tedious process of filtering out non-malicious code in massive Rust binaries.
Key benefits include:
- Rapid Triage: Analysts can quickly exclude thousands of standard library functions to focus on attacker-authored code.
- Flexible Matching: FLIRT signatures provide high-confidence matches, while binary diffing steps in when signature-based identification falls short.
- Support for Complex Cases: In heavily obfuscated malware, batch binary diffing, even though it’s time-consuming, delivers critical insights that signatures alone cannot provide.
RIFT in Action: Real-World Impact
Case studies demonstrate RIFT’s value. During analyses of RALord ransomware and the SPICA backdoor, RIFT dramatically reduced the time required to isolate malicious logic. When FLIRT signatures missed certain code, binary diffing provided additional clarity, enabling analysts to zero in on threats faster and with greater accuracy.
Open Source Collaboration for a Safer Future
Recognizing the importance of community defense, Microsoft has open-sourced RIFT. This move encourages researchers and defenders everywhere to collaborate, share insights, and adapt the toolkit for evolving threats. The contribution of complementary tools like Diaphora further enhances the reverse engineering ecosystem.
Meeting Modern Threats with Innovation
The shift to Rust is changing the threat landscape, making detection and analysis of malware more complex. Tools like RIFT are essential for keeping pace, offering automation and precision to tackle even the most sophisticated binaries. As Rust malware continues to proliferate, ongoing innovation and collaboration among cybersecurity professionals will be vital to staying ahead of adversaries.
Source: Microsoft Security Blog
RIFT: Empowering Analysts to Tackle the Next Generation of Rust-Based Malware