Tag Archive for: Rust

Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker

/in


Key Findings

  • Check Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel.
  • Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities. In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command and control server) URLs.
  • Analysis of newly discovered variants of SysJoker revealed ties to previously undisclosed samples of Operation Electric Powder, a set of targeted attacks against Israeli organizations between 2016-2017 that were loosely linked to the threat actor known as Gaza Cybergang.

Introduction

Amid tensions in the ongoing Israel-Hamas war, Check Point Research has been conducting active threat hunting in an effort to discover, attribute, and mitigate relevant regional threats. Among those, some new variants of the SysJoker malware, including one coded in Rust, recently caught our attention. Our assessment is that these were used in targeted attacks by a Hamas-related threat actor.

SysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux and Mac. The same malware was also analyzed in another report a few months after the original publication. Since then, SysJoker Windows variants have evolved enough to stay under the radar.

As we investigated the newer variants of SysJoker that were utilized in targeted attacks in 2023, we also discovered a variant written in Rust, which suggests the malware code was completely rewritten. In addition, we also uncovered behavioral similarities with another campaign named Operation Electric Powder which targeted Israel in 2016-2017. This campaign was previously linked to Gaza Cybergang (aka Molerats), a threat actor operating in conjunction with Palestinian interests.

In this article, we drill down into the Rust version of SysJoker, as well as disclose additional information on other SysJoker Windows variants and their attribution.

Rust SysJoker…

Source…

Microsoft applies coat of Rust to Azure Sphere IoT platform • The Register

/in


Developers can now use the Rust programming language when creating applications on Azure Sphere platform for internet-connected devices.

Programmers can apply the performance and security capabilities within Rust to make software for Internet of Things devices and other embedded systems that can be the target of botnets and other malware.

Want to try a null-pointer dereference? Not gonna happen! For embedded systems this is a lifeline…

“Rust and Azure Sphere are a good match – a programming language that can improve safety of code with strict compile time safety checks alongside Azure Sphere’s secure identity, update, and end-to-end encrypted communication services for internet-connected devices should provide greater security to the customer applications,” Akshatha Udayashankar, an embedded software engineer at Microsoft, wrote in a blog post this week.

The move by Microsoft – which previewed the idea in June 2022 – comes the same week Google said it will support third-party Rust libraries in its open-source Chronium project. Like Microsoft, Google touted the security features in the programming language.

As our sister site DevClass wrote at the time, the attraction is not just safety. “Other factors include a greater likelihood of correctness, as a side-effect of safety guarantees, and more reliable concurrency. Rust’s ‘rich type system’ assists in writing expressive code.”

Azure Sphere already includes built-in security features for internet-connected devices and comprises hardware built atop chips from MediaTek and a Linux-based operating system. In addition, it includes the cloud-based Azure Sphere Security Services (AS3) that creates a secure connection between the devices and the internet or cloud.

AS3 ensures a secure boot, device identity authentication, the trust of the software, and certification the devices are running trusted code. It also enables Microsoft to securely download updates to…

Source…

Nokoyawa Ransomware: Rust or Bust

/in


Key Points

Nokoyawa is a 64-bit Windows-based ransomware family that emerged in February 2022
The threat group behind Nokoyawa performs double extortion ransomware attacks: exfiltrating sensitive information from organizations, followed by file encryption and a ransom payment demand
Nokoyawa was initially written in the C programming language using Elliptic Curve Cryptography (ECC) with SECT233R1 and Salsa20 for file encryption
In September 2022, Nokoyawa was rewritten in the Rust programming language using ECC with the Curve25519 and Salsa20 for file encryption
The Rust-based Nokoyama ransomware 2.0 provides threat actors with runtime flexibility via a configuration parameter that is passed via the command-line

Nokoyawa ransomware was discovered in February 2022, sharing code with another ransomware family known as Karma. Nokoyawa ransomware’s lineage can further be traced back to Nemty ransomware. The original version of Nokoyawa ransomware was written in the C programming language and file encryption utilized asymmetric Elliptic Curve Cryptography (ECC) with Curve SECT233R1 (a.k.a. NIST B-233) using the Tiny-ECDH open source library combined with a per file Salsa20 symmetric key. Nokoyawa ransomware 2.0 still uses Salsa20 for symmetric encryption, but the elliptic curve was replaced with Curve25519.

Nokoyawa 2.0 was developed using the Rust programming language and appears to have been created in late September 2022. Nokoyawa is not the first ransomware family to be written in Rust. Previously, the Hive ransomware author migrated from the Go (a.k.a. Golang) programming language to Rust. The BlackCat/ALPHV ransomware family is also compiled in Rust. The increase in the popularity of the Rust programming language may be due to its emphasis on performance and concurrency, which can make a ransomware’s file encryption more efficient. Similar to the previous version of Nokoyawa, the Rust variant is compiled only for 64-bit versions of Windows.

This blog provides a technical analysis of Nokoyawa 2.0 including its new configuration, encryption algorithms, and data leak site.

Technical Analysis

Nokoyawa 2.0 cannot be executed without providing the required command-line arguments….

Source…

RansomExx Ransomware upgrades to Rust programming languageSecurity Affairs

/in


RansomExx ransomware is the last ransomware in order of time to have a version totally written in the Rust programming language.

The operators of the RansomExx ransomware (aka Defray777 and Ransom X) have developed a new variant of their malware, tracked as RansomExx2, that was ported into the Rust programming language.

The move follows the decision of other ransomware gangs, like Hive, Blackcat, and Luna, of rewriting their ransomware into Rust programming language.

The main reason to rewrite malware in Rust is to have lower AV detection rates, compared to malware written in more common languages.

RansomExx2 was developed to target Linux operating system, but experts believe that ransomware operators are already working on a Windows version.

RansomExx operation has been active since 2018, the list of its victims includes government agencies, the computer manufacturer and distributor GIGABYTE, and the Italian luxury brand Zegna. RansomExx is operated by the DefrayX threat actor group (Hive0091), the group also developed the PyXie RAT, Vatet loader, and Defray ransomware strains.

The functionality implemented in RansomExx2 is very similar to previous RansomExx Linux variants.

“RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++ predecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files using AES-256, with RSA used to protect the encryption keys.” reads the analysis published by IBM Security X-Force.

The ransomware iterates through the specified directories, enumerating and encrypting files. The malware encrypts any file greater than or equal to 40 bytes and gives a new file extension to each file.

The RansomExx2 encrypts files using the AES-256 algorithm, it drops a ransom note in each encrypted directory.

ransomexx ransomware

“RansomExx is yet another major ransomware family to switch to Rust in 2022 (following similar efforts with Hive and Blackcat).” concludes the report. “While these latest changes by RansomExx may not represent a significant upgrade in functionality, the switch…

Source…