Microsoft Threat Intelligence Center (MSTIC) has released RIFT, an open-source toolkit designed to streamline reverse engineering of Rust-based malware.
Rust’s memory safety and efficiency have made it a favored language for threat actors, but its static linking and extensive library code create massive binaries—often exceeding 10,000 functions and 3MB in size—obscuring malicious logic.
RIFT automates the identification of attacker-written code, addressing a critical gap in cybersecurity defenses.
Technical Architecture of RIFT
RIFT comprises three integrated components:
- Static Analyzer: An IDA Pro plugin that extracts Rust compiler metadata (commit hash, dependencies, target OS) and exports it to JSON.
- Generator: A Python script automating dependency compilation, FLIRT signature generation (using Hex-Rays’
sigmake/pcf), and binary diffing via Diaphora. - Diff Applier: An IDA plugin applying diffing results interactively, with demangling support for symbol names.
The tool leverages two pattern-matching approaches:
| Method | Advantages | Limitations |
|---|---|---|
| FLIRT Signatures | Near-zero false positives; rapid annotation | Strict matching requirements |
| Binary Diffing | Covers modified library code; flexible | Hours-long processing time |
Rust Malware in the Wild
Financially motivated groups (e.g., BlackCat, Hive) and nation-state actors increasingly use Rust for ransomware and backdoors like SPICA.
A simple Rust downloader binary contains ~10,000 functions vs. <100 in C++, complicating analysis. For example, ransomware simulations use AES-256-CBC encryption:
rustuse aes::Aes256;
use block_modes::{BlockMode, Cbc, block_padding::Pkcs7};
fn encrypt_file(path: &str, key: &[u8; 32], iv: &[u8; 16]) -> io::Result<()> {
let cipher = Aes256Cbc::new_from_slices(key, iv).unwrap();
let ciphertext = cipher.encrypt_vec(&fs::read(path)?);
fs::write(format!("{}.enc", path), ciphertext)?;
} // Targets directories recursively[3]
Impact and Availability
RIFT slashes analysis time: In tests against RALord ransomware, FLIRT signatures labeled >90% of library functions, letting analysts focus on malicious payloads.
For complex cases like SPICA, binary diffing supplements FLIRT gaps.
The toolkit is open-sourced on GitHub, supporting IDA Pro ≥9.0 and Windows.
As Rust malware surges, tools like RIFT exemplify the industry’s shift toward specialized defenses against evolving threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=Rust’s memory safety and efficiency have made it a favored language for threat actors, but its static linking and extensive library code create massive binaries){kind=link}