Malware developers are moving from traditional languages like C and C++ to newer languages such as Golang, Rust, and Nim. These languages allow them to easily compile code for both Linux and Windows with minimal changes. One notable example of this shift is Luca Stealer, a Rust-based information stealer. It has recently surfaced alongside other threats like BlackCat ransomware.
The Rise of Luca Stealer
Rust is growing in popularity among malware developers. While it’s not as widespread as Golang, its use is expanding quickly. Luca Stealer stands out because it is the first open-source, Rust-based malware. This offers security researchers a chance to study how Rust is used in malware and find ways to improve defense strategies.
Challenges in Analyzing Rust-Based Malware
Rust introduces new challenges for security analysts. Tools like Ghidra often struggle to handle Rust binaries. Rust strings are not null-terminated, which confuses reverse-engineering tools. As a result, data is often misinterpreted, causing string overlaps.
To analyze Rust binaries, researchers must clear code bytes and redefine strings. They also need to trace the primary function in the code, which is harder to identify compared to C-based programs. The entry point typically calls an internal function (std::rt::lang_start_internal), which then leads to the user-written function.
Rust Compilation Artifacts for Detection
Despite these challenges, defenders can still find clues in the binary. The Rust build system, Cargo, leaves artifacts that can assist in detection. “Crates,” or external dependencies, are statically linked into the binary. Running a script like “RustDependencyStrings.py” can reveal which crates the malware uses, such as reqwest for HTTP requests.
Artifacts like PDB paths may also remain in the binary’s “Debug Data” section. These paths could leak the author’s username or system paths. Analysts can also search for string patterns like cargo\registry to detect the libraries the malware uses.
Indicators of Compromise (IoCs)
The following indicators can help identify Rust-based malware like Luca Stealer:
- SHA256: 8f47d1e39242ee4b528fcb6eb1a89983c27854bac57bc4a15597b37b7edf34a6
- String: cargo\registry – Rust crate dependencies
- String: std::rt::lang_start_internal – Rust runtime entry point
As threat actors continue to use Rust, understanding these details will improve detection and defense strategies.
