Recon 2024

Nicole Fishbein

Nicole Fishbein is a security researcher and malware analyst. Prior to Intezer she was an embedded researcher in the Israel Defense Forces (IDF) Intelligence Corps. Nicole has been part of research that led to discovery of previously unseen APT malware and novel attacks on Linux-based cloud environments. Her current research focuses on the use of non-standard languages like .NET, Go, and Rust by advanced threat actors.

The speaker's profile picture

Sessions

06-30
15:30
60min
Project 0xA11C: Deoxidizing the Rust Malware Ecosystem
Juan Andres Guerrero-Saade, Nicole Fishbein

In malware analysis, the arrival of a new programming language introduces an entirely new set of challenges that obstruct our understanding of the malicious intent of a threat actor. Minor idiosyncrasies and newfangled artifacts become minor annoyances, while radical shifts in programming paradigms equate to major analysis blockers. Given the brittle state of our tools and the already steep requisite expertise, you can't blame REs and malware analysts for shying away from disproportionately complex malware. However, this reluctance inadvertently creates blind spots readily exploited by adversaries.

The Go programming language serves as a prime example of this phenomenon. Its quirks (see: placing unterminated strings in an unparsed blob) and inherent complexities (function prototypes repeatedly broken by handling multiple return values on an ephemeral stack) bred collective reluctance until our hands were forced by high-profile incidents like the Solarwinds supply-chain attack. To remedy the situation, we crafted an analysis methodology with accompanying atomic scripts, dubbed AlphaGolang. The result was the surprising realization that once underlying data is put back in its rightful context, reversing Go is often easier than traditional languages.

We've observed a similar trend with Rust malware. Rust's features, such as memory safety, aggressive compiler optimizations, borrowing, intricate types and traits translate into a perplexing tangle of code that surpasses even C++ in the complexity of its abstractions. APTs and ransomware groups alike have embraced Rust and yet we avert our gaze.

Let's tackle this problem head-on. Drawing on insights derived from the development of AlphaGolang, we introduce 'Project 0xA11C' (‘Oxalic’)– a practical methodology and accompanying tools to make Rust reverse-engineering approachable. We’ll showcase the benefits by reanalyzing in-the-wild examples of APT malware like RustDown, RustBucket, and Spica – No ‘Hello World!’s found here! With added clarity, we’ll finally glimpse at the true size of the Rust malware ecosystem and see what lies ahead.

Presentation Software
Grand Salon