RIFT Tool from Microsoft Uncovers Malware Hidden in Rust Executables

Microsoft Threat Intelligence Center (MSTIC) has released RIFT, an open-source toolkit designed to streamline reverse engineering of Rust-based malware.

Rust’s memory safety and efficiency have made it a favored language for threat actors, but its static linking and extensive library code create massive binaries—often exceeding 10,000 functions and 3MB in size—obscuring malicious logic.

RIFT automates the identification of attacker-written code, addressing a critical gap in cybersecurity defenses.

Technical Architecture of RIFT

RIFT comprises three integrated components:

• Static Analyzer: An IDA Pro plugin that extracts Rust compiler metadata (commit hash, dependencies, target OS) and exports it to JSON.
• Generator: A Python script automating dependency compilation, FLIRT signature generation (using Hex-Rays’ sigmake/pcf), and binary diffing via Diaphora.
• Diff Applier: An IDA plugin applying diffing results interactively, with demangling support for symbol names.

The tool leverages two pattern-matching approaches:

Method	Advantages	Limitations
FLIRT Signatures	Near-zero false positives; rapid annotation	Strict matching requirements
Binary Diffing	Covers modified library code; flexible	Hours-long processing time

Rust Malware in the Wild

Financially motivated groups (e.g., BlackCat, Hive) and nation-state actors increasingly use Rust for ransomware and backdoors like SPICA.

A simple Rust downloader binary contains ~10,000 functions vs. <100 in C++, complicating analysis. For example, ransomware simulations use AES-256-CBC encryption:

rustuse aes::Aes256;  
use block_modes::{BlockMode, Cbc, block_padding::Pkcs7};  
fn encrypt_file(path: &str, key: &[u8; 32], iv: &[u8; 16]) -> io::Result<()> {  
    let cipher = Aes256Cbc::new_from_slices(key, iv).unwrap();  
    let ciphertext = cipher.encrypt_vec(&fs::read(path)?);  
    fs::write(format!("{}.enc", path), ciphertext)?;  
} // Targets directories recursively[3]  

Impact and Availability

RIFT slashes analysis time: In tests against RALord ransomware, FLIRT signatures labeled >90% of library functions, letting analysts focus on malicious payloads.

For complex cases like SPICA, binary diffing supplements FLIRT gaps.

The toolkit is open-sourced on GitHub, supporting IDA Pro ≥9.0 and Windows.

As Rust malware surges, tools like RIFT exemplify the industry’s shift toward specialized defenses against evolving threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post RIFT Tool from Microsoft Uncovers Malware Hidden in Rust Executables appeared first on Cyber Security News.