06-30, 15:30–16:30 (US/Eastern), Grand Salon
In malware analysis, the arrival of a new programming language introduces an entirely new set of challenges that obstruct our understanding of the malicious intent of a threat actor. Minor idiosyncrasies and newfangled artifacts become minor annoyances, while radical shifts in programming paradigms equate to major analysis blockers. Given the brittle state of our tools and the already steep requisite expertise, you can't blame REs and malware analysts for shying away from disproportionately complex malware. However, this reluctance inadvertently creates blind spots readily exploited by adversaries.
The Go programming language serves as a prime example of this phenomenon. Its quirks (see: placing unterminated strings in an unparsed blob) and inherent complexities (function prototypes repeatedly broken by handling multiple return values on an ephemeral stack) bred collective reluctance until our hands were forced by high-profile incidents like the Solarwinds supply-chain attack. To remedy the situation, we crafted an analysis methodology with accompanying atomic scripts, dubbed AlphaGolang. The result was the surprising realization that once underlying data is put back in its rightful context, reversing Go is often easier than traditional languages.
We've observed a similar trend with Rust malware. Rust's features, such as memory safety, aggressive compiler optimizations, borrowing, intricate types and traits translate into a perplexing tangle of code that surpasses even C++ in the complexity of its abstractions. APTs and ransomware groups alike have embraced Rust and yet we avert our gaze.
Let's tackle this problem head-on. Drawing on insights derived from the development of AlphaGolang, we introduce 'Project 0xA11C' (‘Oxalic’)– a practical methodology and accompanying tools to make Rust reverse-engineering approachable. We’ll showcase the benefits by reanalyzing in-the-wild examples of APT malware like RustDown, RustBucket, and Spica – No ‘Hello World!’s found here! With added clarity, we’ll finally glimpse at the true size of the Rust malware ecosystem and see what lies ahead.
Juan Andrés Guerrero-Saade (better known as 'JAGS') is AVP of Research at SentinelOne and Distinguished Resident Fellow for Threat Intelligence at the Johns Hopkins SAIS Alperovitch Institute for Cybersecurity Studies. He was Google Chronicle’s Research Tsar, co-founder of Stairwell, and a Principal Security Researcher at GReAT focusing on targeted attacks. Prior to that, JAGS worked as Senior Cybersecurity and National Security Advisor to the Government of Ecuador. He’s currently co-authoring a book on Hacking Team with Lorenzo Franceschi-Bicchierai for Union Square & Co. His joint work on Moonlight Maze is now featured in the International Spy Museum's permanent exhibit in Washington, DC.
Nicole Fishbein is a security researcher and malware analyst. Prior to Intezer she was an embedded researcher in the Israel Defense Forces (IDF) Intelligence Corps. Nicole has been part of research that led to discovery of previously unseen APT malware and novel attacks on Linux-based cloud environments. Her current research focuses on the use of non-standard languages like .NET, Go, and Rust by advanced threat actors.