New Rust-based Backdoor Attacking Windows and Linux Systems
Rust’s strong focus on memory safety, which prevents common vulnerabilities such as buffer overflows, makes it a choice for threat actors to use Rust-based backdoors.
Moreover, the performance of this language is appealing to many, and due to this, they prefer using it when creating malware that is both efficient and stealthy.
Not only that, but its quick attack development and support are also well-backed by its community.
Cybersecurity researchers at PolySwarm recently discovered a new rust-based backdoor, KrustyLoader, that is actively attacking Windows and Linux operating systems.
Technical analysis
The cross-platform capabilities of KrustyLoader have recently been highlighted in industry reports targeting Linux and Windows systems.
The fame of the Linux version of KrustyLoader, which appeared towards the end of 2023 to early 2024 directly on Avanti devices, has been blamed on the Chinese-affiliated hacking collective called “UNC5221.”
UNC5221 (aka UTA0178), a China-linked group, mainly focuses on targeted espionage rather than opportunistic attacks.
However, there is limited info available at the moment, but they employ various malware like:-
- CHAINLINE
- FRAMESTING
- WIREFIRE
- LIGHTWIRE
- BUSHWALK
- WARPWIRE
- ZIPLINE
Moreover, there is some evidence that attackers were exploiting ScreenConnect and opted to use it in carrying out their malicious activities using a Windows variant of KrustyLoader.
Exploiting CVE-2024-21887 and CVE-2023-46805, they targeted Ivanti Connect Secure and Policy Secure Gateway.
Rust payloads deployed KrustyLoader, which fetched the post-exploitation tool Sliver.
Although they were patched, the unsecured systems remain vulnerable.
Cybersecurity analysts at WithSecure detected threat actors hijacking ScreenConnect, deploying KrustyLoader’s Windows form.
This Rust-based malware is similar to its Linux cousin that fetches and fires up a secondary payload, frequently called “Sliver.”
In two directories on the compromised system, the threat actors plant r.bat which is a batch file. This script deletes the previous payloads, fetches a random URL hosting KrustyLoader from AWS S3, and then it saves as 1.exe and executes it.
IOCs
- e1c31f503da20c8326b566ec042db1f0d3b56fe3579ae37398ff3f6fa5bc54d2
- 415a70897761c65c3ff59b686d2b1c69a56df06cbf9fbff5dec03751b51d53db
- c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28
- 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04
- 95ffea9b7c5c2e18f7fc801290d4bb2777c05e468e5b3e513a597c41ec9b36fc
- c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026
- 41aa6b45277445d34060d8cd00a528b08636b86605bbafe643357f2614b66887
- e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2
- ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815
- 030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0
- f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201
- 49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea
- 816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17
- bc7c7280855c384e5a970a2895363bd5c8db9088977d129b180d3acb1ec9148a
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Source: https://bit.ly/3uS5LZ2