Microsoft’s Threat Intelligence Center has unveiled a powerful new open-source tool called RIFT to combat growing threats. As cybercriminals and nation-state actors increasingly turn to the Rust programming language for their malware development. Rust is renowned for its speed, memory safety, and robustness, making malware harder to detect and to analyze. This important release helps security analysts keep pace with the many sophisticated and constantly evolving digital threats.
Rust’s unique features like memory safety and static linking make it an attractive choice for malicious actors. However, these same qualities present major hurdles for the malware analysts who are reverse engineering the code. Rust binaries are typically statically linked, which embeds all dependencies directly into the final compiled executable file. This results in much larger binaries with thousands of functions, far more than comparable programs written in C++. This complexity makes it extremely difficult for analysts to distinguish between standard library code and attacker-authored logic. The process of reverse engineering Rust malware is not only time-consuming but also requires very advanced technical expertise.
Microsoft’s release of RIFT marks a significant step forward in equipping the entire cybersecurity community with new tools.
To address these significant challenges, Microsoft developed RIFT, an open-source toolkit designed to automate and to streamline the analysis. The new toolkit consists of three main components: a static analyzer, a generator, and a diff applier. RIFT leverages two primary techniques for pattern matching, which include FLIRT signatures and also advanced binary diffing. In real-world tests, Microsoft applied RIFT to analyze the RALord ransomware and it successfully extracted compiler information. This process enabled analysts to quickly isolate and focus on the malware’s malicious logic, significantly reducing analysis time.
By open-sourcing RIFT, Microsoft now aims to foster collaboration and true innovation within the cybersecurity research community.
The powerful new tool is available for free on GitHub, supporting IDA Pro versions 9.0 and above. Microsoft’s ongoing commitment to research and development underscores the importance of advanced security measures to combat these threats. The release of RIFT is a timely response to the evolving threat landscape and the growing wave of malware. It ensures security professionals have the tools they need to defend against the growing wave of Rust-based malware.
Reference: