New Rust-based Backdoor Attacking Windows and Linux Systems

Rust’s strong focus on memory safety, which prevents common vulnerabilities such as buffer overflows, makes it a choice for threat actors to use Rust-based backdoors.

Moreover, the performance of this language is appealing to many, and due to this, they prefer using it when creating malware that is both efficient and stealthy.

Not only that, but its quick attack development and support are also well-backed by its community.

Cybersecurity researchers at PolySwarm recently discovered a new rust-based backdoor, KrustyLoader, that is actively attacking Windows andLinux operating systems.

Technical analysis

The cross-platform capabilities of KrustyLoader have recently been highlighted in industry reports targeting Linux and Windows systems.

Document

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

• Interact with malware safely

• Set up virtual machine in Linux and all Windows OS versions

• Work in a team

• Get detailed reports with maximum data

The fame of the Linux version of KrustyLoader, which appeared towards the end of 2023 to early 2024 directly on Avanti devices, has been blamed on the Chinese-affiliated hacking collective called “UNC5221.”

UNC5221 (aka UTA0178), a China-linkedgroup, mainly focuses on targeted espionage rather than opportunistic attacks.

However, there is limited info available at the moment, but they employ various malware like:-

• CHAINLINE

• FRAMESTING

• WIREFIRE

• LIGHTWIRE

• BUSHWALK

• WARPWIRE

• ZIPLINE

Moreover, there is some evidence that attackers were exploiting ScreenConnect and opted to use it in carrying out their malicious activities using a Windows variant of KrustyLoader.

Exploiting CVE-2024-21887 and CVE-2023-46805, they targeted Ivanti Connect Secure and Policy Secure Gateway.

Rust payloads deployed KrustyLoader, which fetched the post-exploitation tool Sliver.

Although they were patched, the unsecured systems remain vulnerable.

Cybersecurity analysts at WithSecure detected threat actors hijacking ScreenConnect, deploying KrustyLoader’s Windows form.

This Rust-based malware is similar to its Linux cousin that fetches and fires up a secondary payload, frequently called “Sliver.”

In two directories on the compromised system, the threat actors plant r.bat which is a batch file. This script deletes the previous payloads, fetches a random URL hosting KrustyLoader from AWS S3, and then it saves as 1.exe and executes it.

IOCs

• e1c31f503da20c8326b566ec042db1f0d3b56fe3579ae37398ff3f6fa5bc54d2

• 415a70897761c65c3ff59b686d2b1c69a56df06cbf9fbff5dec03751b51d53db

• c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28

• 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04

• 95ffea9b7c5c2e18f7fc801290d4bb2777c05e468e5b3e513a597c41ec9b36fc

• c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026

• 41aa6b45277445d34060d8cd00a528b08636b86605bbafe643357f2614b66887

• e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2

• ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815

• 030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0

• f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201

• 49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea

• 816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17

• bc7c7280855c384e5a970a2895363bd5c8db9088977d129b180d3acb1ec9148a