Hackers Launch Rust-Based Luca Stealer Targeting Linux and Windows

Cybercriminals are shifting away from traditional programming languages like C and C++ and towards modern alternatives such as Rust, Golang, and Nim, allowing them to write malicious code that can be easily compiled for both Windows and Linux with minimal modifications.

This strategic move enables threat actors to streamline their malware development process, and a newly identified information-stealing malware called “Luca Stealer” is leading the charge, having been built entirely in Rust and released as open-source code.

The rise of Rust-based threats is a growing concern, with malware written in Golang becoming increasingly common, while Rust adoption is still in its early stages but gaining momentum rapidly.

The Rise of Rust-Based Threats

Luca Stealer marks a significant milestone in the evolution of Rust-based malware, joining other notable threats such as the BlackCat ransomware, and its public availability serves as a blueprint for less experienced cybercriminals to study and learn from.

The open-source model of Luca Stealer accelerates the development of new malware variants, forcing security defenders to adapt their analysis techniques to detect these cross-platform threats quickly.

built binary can be opened in a disassembler
built binary can be opened in a disassembler

Analyzing Rust malware presents unique challenges for security researchers, as Rust binaries handle text strings differently, often lacking “null terminators” that usually mark the end of a sentence in computer code.

According to Binary Defence, this causes analysis tools to misinterpret data, resulting in overlapping text and garbled output, and the Rust compiler organizes code in complex ways, making it challenging to locate the malicious program’s main entry point.

However, Rust malware leaves behind distinct digital fingerprints that researchers can leverage, including the presence of “crates” or external software libraries managed by the Rust build system, known as “Cargo).

leak the username of the user who compiled the program depending on where on disk the program was compiled
leak the username of the user who compiled the program depending on where on disk the program was compiled

By examining these embedded text strings, analysts can identify precisely which third-party libraries the malware uses, and careless developers often leave behind “PDB paths” file locations from their own computers that get saved into the malware during the build process.

These paths can reveal the attacker’s username and the directory structure of their development machine, and in a recent analysis of an unknown Rust sample, researchers used these indicators to map out the malware’s capabilities and trace its origins.

Running the “RustDependencyStrings.py” script against the binary reveals the crates
Running the “RustDependencyStrings.py” script against the binary reveals the crates

Indicators of Compromise (IoC)

Indicator Type Value Description
SHA256 8f47d1e39242ee4b528fcb6eb1a89983c27854bac57bc4a15597b37b7edf34a6 Rust-based malware sample hash
Crate Dependency reqwest Library used for HTTP network requests
Crate Dependency base64 Library used for data encoding
File Path library\std\src\sys\windows\stdio.rs Internal Rust library path observed in analysis

Related Articles

Back to top button