Open-Source Rust Malware Analyzer Released by Microsoft

As cybercriminals and nation-state actors increasingly turn to the Rust programming language for malware development, Microsoft’s Threat Intelligence Center has unveiled a powerful new open-source tool called RIFT to help security analysts combat this growing threat.

Rust, renowned for its speed, memory safety, and robustness, is now being exploited for its advantages in creating malware that is harder to detect and analyze.

Microsoft’s release of RIFT marks a significant step forward in equipping the cybersecurity community with specialized tools to keep pace with evolving threats.

The Challenge of Rust-Based Malware

Rust’s unique features—such as memory safety, concurrency, and static linking—make it an attractive choice for both legitimate developers and malicious actors. However, these same qualities present major hurdles for malware analysts.

Rust binaries are typically statically linked, embedding all dependencies directly into the executable. This results in much larger binaries with thousands of functions—far more than comparable programs written in traditional languages like C++.

For instance, a simple downloader program compiled in C++ may contain fewer than 100 functions and a binary size under 20 KB, while the same program in Rust can balloon to nearly 10,000 functions and over 3 MB in size.

This complexity makes it extremely difficult for analysts to distinguish between standard library code and attacker-authored logic.

The process of reverse engineering Rust malware is not only time-consuming but also requires advanced expertise and specialized tooling.

Microsoft’s researchers highlighted that this growing trend has led to a proliferation of sophisticated Rust-based malware families, including ransomware like BlackCat and RALord, as well as information stealers and backdoors such as SPICA.

Introducing RIFT: Tools for the Modern Analyst

To address these challenges, Microsoft developed RIFT, an open-source toolkit designed to automate and streamline the analysis of Rust binaries. RIFT consists of three main components:

• RIFT Static Analyzer: An IDA Pro plugin that extracts metadata from Rust binaries, including the Rust compiler version, dependencies, target architecture, and operating system. This information is stored in a JSON file for further processing.
• RIFT Generator: A Python script that automates the downloading of the correct Rust compiler and libraries, generates FLIRT signatures for library identification, and performs binary diffing using tools like Diaphora.
• RIFT Diff Applier: Another IDA Pro plugin that applies the results of FLIRT signatures and binary diffing directly within IDA, allowing analysts to quickly identify and label library functions in the malware.

RIFT leverages two primary techniques for pattern matching: FLIRT signatures and binary diffing.

FLIRT signatures are fast, reliable, and produce low false positives, but they only work when the code in the malware closely matches the original library code.

Binary diffing, on the other hand, is more flexible and can identify similarities even when code has been slightly altered, though it is more time-consuming and can take several hours to complete.

In real-world tests, Microsoft applied RIFT to analyze RALord ransomware. The tool successfully extracted compiler information and dependencies, generated FLIRT signatures, and applied them within IDA Pro.

This enabled analysts to quickly isolate and focus on the malware’s malicious logic, significantly reducing analysis time. For deeper analysis, such as with the SPICA backdoor, RIFT combined both FLIRT signatures and binary diffing to fill in gaps and provide a more comprehensive view of the codebase.

By open-sourcing RIFT, Microsoft aims to foster collaboration and innovation within the cybersecurity community.

The tool is available for free on GitHub, supporting IDA Pro versions 9.0 and above, with the RIFT Generator tested on Windows 10, 64-bit systems.

Microsoft’s ongoing commitment to research and development underscores the importance of advanced security measures to combat increasingly sophisticated cyber threats.

The release of RIFT is a timely response to the evolving threat landscape, ensuring that security professionals have the tools they need to defend against the growing wave of Rust-based malware.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates