Recon 2024

Juan Andres Guerrero-Saade

Juan Andrés Guerrero-Saade (better known as 'JAGS') is AVP of Research at SentinelOne and Distinguished Resident Fellow for Threat Intelligence at the Johns Hopkins SAIS Alperovitch Institute for Cybersecurity Studies. He was Google Chronicle’s Research Tsar, co-founder of Stairwell, and a Principal Security Researcher at GReAT focusing on targeted attacks. Prior to that, JAGS worked as Senior Cybersecurity and National Security Advisor to the Government of Ecuador. He’s currently co-authoring a book on Hacking Team with Lorenzo Franceschi-Bicchierai for Union Square & Co. His joint work on Moonlight Maze is now featured in the International Spy Museum's permanent exhibit in Washington, DC.

The speaker's profile picture

Sessions

06-30
15:30
60min
Project 0xA11C: Deoxidizing the Rust Malware Ecosystem
Juan Andres Guerrero-Saade, Nicole Fishbein

In malware analysis, the arrival of a new programming language introduces an entirely new set of challenges that obstruct our understanding of the malicious intent of a threat actor. Minor idiosyncrasies and newfangled artifacts become minor annoyances, while radical shifts in programming paradigms equate to major analysis blockers. Given the brittle state of our tools and the already steep requisite expertise, you can't blame REs and malware analysts for shying away from disproportionately complex malware. However, this reluctance inadvertently creates blind spots readily exploited by adversaries.

The Go programming language serves as a prime example of this phenomenon. Its quirks (see: placing unterminated strings in an unparsed blob) and inherent complexities (function prototypes repeatedly broken by handling multiple return values on an ephemeral stack) bred collective reluctance until our hands were forced by high-profile incidents like the Solarwinds supply-chain attack. To remedy the situation, we crafted an analysis methodology with accompanying atomic scripts, dubbed AlphaGolang. The result was the surprising realization that once underlying data is put back in its rightful context, reversing Go is often easier than traditional languages.

We've observed a similar trend with Rust malware. Rust's features, such as memory safety, aggressive compiler optimizations, borrowing, intricate types and traits translate into a perplexing tangle of code that surpasses even C++ in the complexity of its abstractions. APTs and ransomware groups alike have embraced Rust and yet we avert our gaze.

Let's tackle this problem head-on. Drawing on insights derived from the development of AlphaGolang, we introduce 'Project 0xA11C' (‘Oxalic’)– a practical methodology and accompanying tools to make Rust reverse-engineering approachable. We’ll showcase the benefits by reanalyzing in-the-wild examples of APT malware like RustDown, RustBucket, and Spica – No ‘Hello World!’s found here! With added clarity, we’ll finally glimpse at the true size of the Rust malware ecosystem and see what lies ahead.

Presentation Software
Grand Salon