Explainer: Why cyberattackers are increasingly launching attacks in Rust programming language

Cyberattackers have a new exploitation tool Rust programming language. Popular ransomware and malware families on the dark web such as BlackCat (ALPHV), Hive, Luna, RansomExx and Agenda are increasingly launching attacks coded in Rust language which are evading traditional threat detection solutions and are difficult for cybersecurity professionals to reverse engineer. Nearly 10-15% of ransomware attacks today are estimated to be coded using Rust.

ET dissects the history of Rust language and how it is acting as both a friend and foe for developers.

What is Rust language?

Founded in 2015, Rust is a powerful coding language released by the Rust Foundation backed by five companies – AWS, Huawei, Google, Microsoft and Mozilla. According to Stack Overflow’s annual developer survey 2023, Rust has been “the most desired programming language” for eight years in a row with more than 80% of developers wanting to use it.

According to SlashData, there were about 2.8 million Rust developers worldwide in 2023, with a threefold jump in numbers over the past two years.

What makes it so popular?
GitHub attributes Rust’s popularity to “safety, performance and productivity” over other coding languages such as C, C++, Python and JavaScript. Sanjay Katkar, joint managing director at Quick Heal Technologies, said Rust’s most crucial advantage is memory safety which prevents buffer overflows. It also offers concurrency as well as zero-cost abstractions, allowing developers to write efficient and thread-safe code, he said.

Why do cyberattackers use Rust?
“Rust compilers make it very complex to reverse engineer any kind of a malicious binary that has been coded,” said Anshuman Sharma, director, cybersecurity consulting services at Verizon Business. “The detection or doing the autopsy of a malicious binary becomes complex and time consuming.”

Predator group Luna, for instance, is using two encryption algorithms within one same malware, Daffy Hellman and AES encryption, which has not been seen before. “This makes it complex for generally used debuggers and disassemblers to reverse engineer and see what the code is doing,” Sharma said.

“Cybersecurity researchers have uncovered various instances of Rust-based malware, including remote access trojans targeting Windows systems, backdoors with cross-platform capabilities, etc.,” said Vaibhav Tare, chief information security officer, Fulcrum Digital.

One example, he said, is Rust-based threats like Rustruck, a wiper malware capable of destroying data on compromised systems, “showcasing the language's potential for cybercriminal abuse”.
“The absence of memory leaks or crashes ensures that the ransomware remains persistent and effective, making it harder for detection and removal by security tools,” said Quick Heal’s Katkar.

What can security professionals do?
As traditional defence mechanisms struggle to detect and mitigate threats built with modern programming languages, organisations need to invest “in advanced threat detection techniques, threat intelligence sharing and collaboration among security researchers”, said Katkar. Next-gen anti malware systems can detect and suppress “even the most well obfuscated pieces of malware – regardless of programming language used,” said Aaron Bugal, field chief technology officer – APJ, Sophos.