The RansomExx grouping "rebuilt" the Rust programming language

3 months ago · 0 comments

IBM Security X-Force Threat researchers have said that the RansomExx ransomware group has switched to the Rust programming language, which gives hackers the ability to be invisible.

According to IBM Security X-Force reverse engineer Charlotte Hammond, Rust-based malware has lower antivirus detection rates, making it easier for attackers to bypass protection. The new sample used for the IBM report only shows up in 14 of over 60 antiviruses on VirusTotal.

The experts said that RansomExx is not just updating the existing code base - they are recreating the code from scratch in a completely new language with a different syntax and set of libraries.

The RansomExx developers also created the PyXie malware, the Vatet downloader, and the Defray ransomware strains, IBM explained. A new variant of RansomExx2 has been created for Linux and Windows.

IBM experts added that many factions have created their own variants of Rust, including BlackCat, Hive and Zeon.

The researchers said that the popularity of the Rust programming language among hackers has grown steadily over the past year due to its cross-platform support and low detection rates. The Rust compilation process also results in more complex binaries, which can take longer for reverse engineers to parse.

The lower antivirus detection rates for Rust binaries can be explained by the fact that the language is much less used, so antivirus vendors will have fewer signatures for it and fewer samples available to train their detection systems, Hammond says.

“If Rust continues to be used by malware developers, then antivirus vendors will begin to increase their ability to detect it, and therefore its advantages over other languages ​​will decrease. Then the hackers will switch to other languages,” Hammond said.