Cyberattackers have a new exploitation tool Rust programming language. Popular ransomware and malware families on the dark web such as BlackCat (ALPHV), Hive, Luna, RansomExx, and Agenda are increasingly launching attacks coded in Rust language which are evading traditional threat detection solutions and are difficult for cybersecurity professionals to reverse engineer. Nearly 10-15% of ransomware attacks today are estimated to be coded using Rust.

What is Rust language?

Founded in 2015, Rust is a powerful coding language released by the Rust Foundation and backed by five companies – AWS, Huawei, Google, Microsoft, and Mozilla. According to Stack Overflow’s annual developer survey 2023, Rust has been “the most desired programming language” for eight years in a row with more than 80% of developers wanting to use it.

According to SlashData, there were about 2.8 million Rust developers worldwide in 2023, with a threefold jump in numbers over the past two years.

What makes it so popular?

GitHub attributes Rust’s popularity to “safety, performance, and productivity” over other coding languages such as C, C++, Python, and JavaScript. Sanjay Katkar, joint managing director at Quick Heal Technologies, said Rust’s most crucial advantage is memory safety which prevents buffer overflows. It also offers concurrency as well as zero-cost abstractions, allowing developers to write efficient and thread-safe code, he said.

Why do cyber attackers use Rust?

“Rust compilers make it very complex to reverse engineer any kind of a malicious binary that has been coded,” said Anshuman Sharma, director, cybersecurity consulting services at Verizon Business. “The detection or doing the autopsy of a malicious binary becomes complex and time-consuming.”

Predator group Luna, for instance, is using two encryption algorithms within the same malware, Daffy Hellman and AES encryption, which has not been seen before. “This makes it complex for generally used debuggers and disassemblers to reverse engineer and see what the code is doing,” Sharma said.

“Cybersecurity researchers have uncovered various instances of Rust-based malware, including remote access trojans targeting Windows systems, backdoors with cross-platform capabilities, etc.,” said Vaibhav Tare, chief information security officer, Fulcrum Digital.

One example, he said, is Rust-based threats like Rustruck, a wiper malware capable of destroying data on compromised systems, “showcasing the language’s potential for cybercriminal abuse”.

“The absence of memory leaks or crashes ensures that the ransomware remains persistent and effective, making it harder for detection and removal by security tools,” said Quick Heal’s Katkar.

What can security professionals do?

As traditional defense mechanisms struggle to detect and mitigate threats built with modern programming languages, organizations need to invest “in advanced threat detection techniques, threat intelligence sharing, and collaboration among security researchers”, said Katkar. Next-gen anti-malware systems can detect and suppress “even the most well-obfuscated pieces of malware – regardless of the programming language used,” said Aaron Bugal, field chief technology officer – APJ, Sophos.