SentinelOne and Intezer, have launched a project aimed at illuminating the blind spot surrounding Rust malware so that threat researchers can better understand and accurately characterize the complex malware ecosystem before it reaches critical mass and blindsides the industry. As part of the initiative, researchers from SentinelLabs and Intezer have teamed to develop a methodology to make reverse engineering Rust malware more approachable and engage the security community to create and release tools to tackle the problem head on. The project is known as 0xA11C.
Advertisement
“In malware analysis, the arrival of a new programming language introduces an entirely new set of challenges that obstruct our ability to quickly grasp the malicious intent of a threat actor,” said Juan Andrés Guerrero-Saade, AVP of Research, SentinelLabs. “With the current state of our tooling, Rust is practically impossible to reverse engineer, and as a result, many analysts are shying away from researching the Rust malware ecosystem. Together with Intezer, we aim to change this.”
In 2021, SentinelLabs researchers took a similar approach to address the rise of Go malware, developing a Go malware analysis methodology dubbed ‘AlphaGolang.’ Their efforts revealed that once underlying data is put back in its rightful context, reversing engineering Golang malware can often be easier than malware written with traditional programming languages.
“We’ve observed a similar trend with Rust malware,” said Nicole Fishbein, Security Researcher, Intezer. “The same features of Rust that engineers love, such as memory safety, aggressive compiler optimizations, borrowing, intricate types and traits, translate into a perplexing tangle of code that surpasses even C++ in the complexity of its abstractions. Drawing on insights derived from the development of AlphaGolang, we can gain additional clarity, into the true size of the Rust malware ecosystem and arm reverse engineers with tools to take it head on.”
To learn more about and contribute to Project OxA11C, visit www.sentinelone.com/labs
