Author: Zhang Handong
Technology is a sharp double-edged sword. – lu xun.
background
Proofpoint published an article today entitled New Variant of Buer Loader Written in Rust.
Proofpoint is an enterprise security company based in Sunnyvale, California, offering software as a service and products for inbound email security, outbound data loss protection, social media, mobile devices, digital risk, email encryption, e-discovery and email archiving.
Buer is a downloaded program sold on an underground market to distribute other malware, including ransomware. Proofpoint first observed Buer in 2019.
Researchers at Proofpoint identified a new variant of the Buer malware loader distributed in early April via email masquerading as a shipping notice (from Courier company DHL). The emails contained links to downloads of malicious Microsoft Word or Excel documents that used macros to launch new variants of the malware.
Proofpoint calls the new variants RustyBuer because they are completely rewritten in Rust’s language, unlike previous C programming languages. It is rare for common malware to be written in radically different ways. Rewriting malware with Rust allows threats to better evade existing Buer detection capabilities and increases the click-through rate of links by using different decoy techniques. All of this suggests that threats are developing technology in multiple ways to evade detection and try to increase successful click-through rates.
RustyBuer is embedded directly into the document macro and requires user interaction to initiate infection. This manulife uses applications to bypass (through LOLBAS ‘Windows Shell DLL) the detection of endpoint security mechanisms.
It’s not clear why the threats took the time and effort to rewrite the malware in a new programming language, but the Proofpoint researchers point to two possible reasons:
- Rust is an increasingly popular programming language that is more efficient and has a broader set of features than C. (Microsoft, for example, is increasingly using it in its products and joined the Rust Foundation in February 2021).
- Rewriting malware with Rust allows threat participants to evade existing Buer detection of malware features written in C. The malware author programmed it so that it should remain compatible with existing Buer backend C2 servers and panels.
A stew
This is not the first case of malware written in Rust. As early as 2016, Dr.Web discovered a Trojan for Linux linux.backdoor.irc.16 implemented by Rust. Doctor Web analysts believe that Linux.backdoor.irc.16 is actually a prototype (proof of concept) because it cannot replicate itself. RustyBuer, on the other hand, is completely black.
With the current high profile of Rust, Rust is likely to become more popular in the security/black industry space. Apart from the ethics of black production software, from the perspective of technology and Rust itself, the “attack and defense” of the wine, may promote the birth of various testing tools for Rust, further enrich the ecology and promote the development of Rust.
As a result, I am curious about how many tools Rust implements in the security ecosystem today. Let’s take a look at some of the security tools found on GitHub/GitLab that are implemented with Rust. Welcome to add.
Penetration testing tool Metasploit (none) Rust rewrite plan
In 2017, someone left a comment on Metasploit issue asking Metasploit to rewrite it with Rust. Of course, the issue was ruthlessly shut down. Metasploit was written from Python to Ruby because of Ruby’s DSL capabilities. As the carrier of penetration testing tools, Metasploit currently has no reason to use Rust rewrite. Unless, of course, someone submits PR directly and uses Rust to do most of the functionality, which I don’t think will happen.
There is, however, a curvy way to save the country: rewrite Ruby in Rust. There is hope for this one: artichoke/artichoke. Artichoke is a Ruby implementation project in Rust and is currently actively maintained and compliant with the MIR(Ruby 2.6.3) specification.
Metasploit also has a feature called “Metasploit’s Hardware Bridge”, which provides a set of Hardware REST apis that enable Metasploit to operate on Hardware (IoT). With REST apis, you can wrap it in any language, as can Rust. However, this related document has not been updated for five years, I do not know how the development.
scanning
rustscan/rustscan
RustScan is a modern port scanner and provides a scripting engine to support running Python, Lua, and Shell.
The features of the tool are:
- High performance.
3It can be scanned in seconds65000A port. - Full script engine support. Automatically delivers results to Nmap and supports custom scripts.
- Adaptive learning is supported. The more you use it, the smarter RustScan gets, not based on bloated machine learning, but on basic math.
feroxbuster
A high performance content discovery tool for penetration testing. Feroxbuster uses brute force combined with word lists to search for unlinked content in target directories, which is an attack. These resources may store sensitive information about Web applications and operating systems, such as source code, credentials, internal network addressing, and so on. This attack is also known as predictable resource location, file enumeration, directory enumeration, and resource enumeration.
Stealth anonymous
Tor and Rust
- In 2020 Tor browser implements part of the module with Rust: Rust in Tor
- Arti: Tor protocol implemented purely by Rust, currently maintained very frequently. Look at this in detail.
zero-gear/rusty-tor
A proof-of-concept Tor client. But it hasn’t been maintained in two years.
Free to kill
Rust writing Shell Code is also possible.
- Writing shellcode in Rust
- writeonly.rs
- rust-windows-shellcode
- SassyKitdi: Kernel Mode TCP Sockets + LSASS Dump
- zerosum0x0/SassyKitdi
- Crab – Runner, shellcode Runner.
- Rs_shellcode, shellcode Runner.
Key introduction:
Amber. Known as the first reflective PE packer, the current development is very active.
Amber is a location-independent (reflective) PE loader that executes native PE files (EXE, DLL, SYS…) in memory. . It implements secret memory payload deployment and can be used to bypass antivirus, firewall, IDS, IPS products and application whitelist mitigation measures. The reflective payload generated by Amber can be staged from a remote server or executed directly in memory as in common Shellcode.
Amber provides a packaging method that changes the way malware is delivered to the system. Instead of trying to find new anti-detection techniques that provide machine learning datasets, you can simply bypass most security mechanisms by trying to pass the payload to the system through fileless code injection. Using this new packaging approach, compiled PE files can be converted into multi-stage infection payloads that can be used with common software vulnerabilities, such as buffer overflows.
Introducing New Packing Method: First Reflective PE Packer Amber
Exploits/ payloads / hacking
This developer, KPcyrd, has written a series of security tools.
- Sn0int, semi-automatic Advanced Open Resource Intelligence (OSINT) framework and package manager for scanning target IP addresses, email, web sites and organizational information and gathering intelligence information from different message sources.
- Sniffglues, multithreaded network sniffers. Kpcyrd used tcpdump a lot, but he thought it would be nice if the output was friendlier, and wireshark was often bug-prone, as was tcpdump, so he implemented it in Rust.
- Badtouch, a scriptable network authentication cracker.
- Rshijack, rewritten by Rust, implements TCP session hijacking.
Fuzz tools
- Cargo Fuzz, an official Fuzz tool developed by Rust.
- Honggfuzz-rs, Fuzz tool developed by Google.
- Sidefuzz, side channel vulnerability detection tool.
Other tools
- RustSec/advisory- DB, a security advisory database for Rust Crate published through Crates. IO.
- cargo-audit.
Cargo.lockRely on audit tools in. - Cargo – CREV, code Review tool.
- Ripasso, a password management tool.
- Libinjection -rs is the Rust binding of libinjection. Libinjection is a SQL injection tool.
- Lethe, secure, free, cross-platform and open source driver erasure tool.