WORKSHOP: Reversing a (not-so-) Simple Rust Loader
Cindy Xiao
ABSTRACT
Rust is now a commonly encountered language for both legitimate software and malware. However, even experienced reverse engineers still struggle with simple Rust binaries. In this workshop, we'll be reversing a Rust malware sample: a loader for some information stealer malware, found in the wild. Even though this loader has really straightforward functionality, it still has a few twists for the reverse engineer: obfuscated strings, and a decoy payload. We'll walk through reversing this sample together, and cover some key Rust reversing concepts along the way: threads in Rust binaries, dynamic dispatch, and type recovery. By the end of this workshop, you should know where to get more information about Rust structures and types, know a few tricks for finding interesting landmarks in Rust binaries, and be much more confident in approaching Rust binaries!
Description
In this workshop, we will be statically reversing the following publicly available malware sample:
https://bazaar.abuse.ch/sample/2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b/
This is a loader for an information stealer. Both the loader stage, and the information stealer stage, are written in Rust. We will be reversing just the loader stage, and will be walking through the basic execution flow, and how it finds and deobfuscates the payload. We will also be examining a few of the anti-static-analysis tricks that it has, including obfuscated strings and a decoy payload.
Requirements
- The workshop will be conducted using Binary Ninja. While the basic principles apply to any static RE tool, it's recommended to follow along with a copy of Binary Ninja. You can use any computer that fulfils the system requirements for Binary Ninja.
- We will be handling malware samples. We will only be analyzing the sample statically. However, to limit the potential damage of an accidental execution, setting up a virtual machine or a non-Windows machine is recommended.
Cindy Xiao
Cindy Xiao is an experienced malware analyst, security researcher, and software developer. She has given talks and workshops on malware reverse engineering, and specifically Rust reverse engineering, at leading cybersecurity conferences, including RECon, RE//verse, and NorthSec.
