RIFT – Microsoft’s New Open-Source Tool to Analyze Malware in Rust Binaries

Microsoft has released RIFT (Rust Identification and Function Tagging), a groundbreaking open-source tool designed to help cybersecurity analysts identify and analyze malware concealed within Rust binaries. 

Summary
1. RIFT - Microsoft's open-source tool to analyze Rust-based malware like BlackCat and Hive ransomware.
2. Rust binaries have 10,000+ functions, making traditional malware analysis difficult.
3. Three-part system with IDA Pro integration for metadata extraction and signature generation.
4. Successfully tested on real malware, it helps analysts focus on malicious code only.

The cybersecurity community has witnessed a significant shift toward Rust-based malware development over the past five years.

Notable examples include the BlackCat ransomware in December 2021, followed by Hive ransomware being rewritten in Rust in June 2022. 

More recently, the AsyncRAT malware family and RALord ransomware have adopted Rust, demonstrating the language’s growing appeal among cybercriminals.

Rust’s memory safety, type safety, and concurrency features make it attractive for legitimate development, but these same characteristics create substantial challenges for malware analysts. 

Unlike traditional programming languages, Rust binaries are typically statically linked, incorporating extensive library code that can bloat executables to over 3MB while containing nearly 10,000 functions, compared to C++ programs with fewer than 100 functions and sizes under 20KB.

Enhanced Capabilities for Rust Binary Analysis

RIFT addresses these challenges through a sophisticated three-component architecture designed for IDA Pro integration. 

The RIFT Static Analyzer serves as an IDA Pro plugin that extracts critical metadata, including the Rust compiler commit hash, embedded dependencies, target architecture, and operating system information from binary files.

The RIFT Generator component automates the most complex processes, including FLIRT signature generation and binary diffing. 

It functions as a wrapper around essential tools, including Cargo (Rust package manager), Hexray’s FLAIR tools (sigmake.exe and pcf.exe), IDA’s command-line interface (idat.exe), and the open-source Diaphora tool. 

This automation enables the extraction and processing of COFF files and RLIB files (Rust-specific archive format similar to TAR).

The RIFT Diff Applier provides analysts with an interactive interface for applying binary diffing results, operating in both interactive and auto-rename modes with configurable similarity thresholds, reads the advisory.

Field testing of RIFT on real-world threats like RALord ransomware and SPICA backdoor has demonstrated significant efficiency improvements. 

The tool successfully distinguishes between attacker-written code and standard library functions, allowing analysts to focus on malicious logic rather than spending time identifying benign library code.

RIFT’s FLIRT signatures approach provides highly reliable annotation with low false-positive rates, while the binary diffing methodology offers broader coverage for cases where strict signature matching fails. 

This dual approach ensures comprehensive analysis capabilities across different malware variants and compilation scenarios.

By open-sourcing RIFT, Microsoft aims to strengthen global cybersecurity defenses against the rising threat of Rust-based malware, providing the security community with essential tools to combat increasingly sophisticated cyber threats.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now 

The post RIFT – Microsoft’s New Open-Source Tool to Analyze Malware in Rust Binaries appeared first on Cyber Security News.