Threat actors are shifting from traditional languages like C and C++ to modern ones such as Rust, enabling cross-platform malware development. A new Rust-based information stealer called Luca has emerged, released openly to the public. This development highlights growing use of Rust in malware, posing new challenges for cybersecurity defenders.
Malware developers are increasingly turning to languages like Golang, Rust, and Nim, moving away from C and C++. This change allows them to compile malicious code for both Linux and Windows platforms with few adjustments. Among recent threats, Luca Stealer stands out as a Rust-built information stealer that has surfaced in the wild, appearing alongside dangers like BlackCat ransomware.
Rust's role in malware is still nascent compared to Golang but is growing quickly. Luca Stealer's public open-source release offers researchers a chance to examine Rust's application in harmful software, aiding in the creation of better defenses. However, this shift demands fresh approaches to analyze and reverse-engineer these advanced binaries.
Defenders face hurdles with Rust executables. Unlike C programs, Rust strings lack null termination, leading tools like Ghidra to misread data and create overlapping definitions. Analysts often need to manually adjust code bytes and redefine strings for accurate analysis. Locating the main function also requires understanding Rust compiler outputs; the entry point sets up the environment before invoking std::rt::lang_start_internal, which links to the user's primary function via argument tracing.
Helpfully, Rust's Cargo build system leaves traces. Dependencies, or 'crates,' are statically linked, and patterns like 'cargo\registry' can expose libraries such as reqwest for HTTP operations. Debug sections might retain PDB paths, revealing details like the author's username or system directories. As Rust gains traction among threat actors, grasping these traits is vital for detection efforts.
