![Crafting malware with modern metals. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F7fc5a1c4-1c87-11f0-8792-db434f6be066%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)
Podcast Summary: CyberWire Daily – "Crafting Malware with Modern Metals" [Research Saturday]
Title: Crafting Malware with Modern Metals
Host: Dave Bittner
Guest: Nick Cerny, Security Consultant at Bishop Fox
Release Date: April 19, 2025
Introduction
In the April 19, 2025 episode of CyberWire Daily titled "Crafting Malware with Modern Metals," host Dave Bittner engages in an illuminating conversation with Nick Cerny, a security consultant at Bishop Fox. This episode delves into the evolving landscape of malware development, specifically focusing on the adoption of modern programming languages like Rust and their implications for cybersecurity.
Rust: The New Frontier in Malware Development
Nick Cerny introduces the primary subject by highlighting the shift from traditional C-based languages to modern alternatives such as Rust for malware creation.
[01:23] Nick Cerny: "A lot of modern malware, or just malware in general, was traditionally written in the C languages. However, recently there's been an emerging trend where threat actors have been using other languages like D, Nim, Dolang, and Rust."
Cerny explains his personal inclination towards Rust due to its combination of low-level capabilities and advanced features like memory safety guarantees.
[02:00] Nick Cerny: "Rust kind of appealed to me because it was a low-level language like C, but it also had some kind of cool features like memory safety guarantees and other nuances that I found interesting."
Recreating Malware Techniques in Rust: Challenges and Surprises
The discussion progresses to Cerny's research, where he recreated common malware techniques using Rust. He outlines the challenges encountered, particularly when interfacing Rust with Windows APIs through Microsoft's Windows Crate.
[02:36] Nick Cerny: "One of the challenges I found with developing Rust malware as opposed to using a traditional language like C, is when using the Windows Crate... it's a little bit more challenging than just using a traditional or just using the traditional C libraries because there are some differences in calling those APIs as opposed to using the Rust like wrapper or binding to that API."
Rust's Safety Features and Their Impact on Malware Detection
A significant portion of the conversation centers on how Rust's inherent safety features can paradoxically complicate malware detection efforts. Cerny contrasts Rust's memory management with that of C, emphasizing Rust's ownership model that eliminates the need for manual memory deallocation.
[03:30] Nick Cerny: "Rust has a unique concept called ownership, which is part of the reason why I liked Rust as opposed to C, because I thought it was a really cool concept... Rust is different because it introduces this concept called ownership, and it doesn't use a garbage collector or require the user to explicitly free up memory. It basically does all of that automatically."
He further explains how traditional reverse engineering tools like Ghidra and IDA Pro, designed for C, struggle with Rust binaries, resulting in "garbled or nonsensical information" that hampers analysis.
[06:46] Dave Bittner: "I see. So you sort of have to do your own kind of translation layer as you're looking through that Pseudo C, right?"
[06:57] Nick Cerny: "Yeah. And a lot of it really just doesn't make sense... it's going to produce a lot of garbled or nonsensical information that makes it a little bit more difficult to read the pseudocode."
Implications for Security Teams: Detection and Response
Bittner probes into how the shift to Rust might affect security teams' capabilities to detect and respond to threats. Cerny posits that while dedicated reverse engineers will eventually decode Rust-based malware, the initial hurdles imposed by Rust's structure can delay detection.
[09:44] Nick Cerny: "I believe... if you're a dedicated malware reverse engineer, you're going to figure out what the program is doing no matter what language you choose."
Regarding endpoint detection and response (EDR) solutions, Cerny suggests that while Rust could pose challenges, the effectiveness largely depends on the sophistication of these security tools.
[10:50] Nick Cerny: "It really depends on how established or sophisticated the antivirus solution or EDR solution is or how adept it is at detecting malicious behavior of a process or detecting signatures."
Skill Level and Adaptability of Malware Authors
The conversation shifts to the expertise required for malware authors to adopt Rust. Cerny asserts that malware developers with a strong background in C can transition to Rust without significant difficulty, given their understanding of memory management and modern evasion techniques.
[11:10] Nick Cerny: "Assuming your average malware author has a pretty good understanding of C and how memory works, I wouldn't say it would be terribly difficult for malware authors to pick up Rust as a new language."
He identifies Rust's ownership concept as the primary learning curve but acknowledges that once mastered, Rust becomes a powerful tool for developing sophisticated malware.
Potential Benefits of Rust for Defensive Tools
Bittner inquires whether Rust's features could be advantageous for defensive cybersecurity tools. Cerny reflects that while Rust could be beneficial in developing more robust decompilers, the core techniques for EDR solutions remain consistent irrespective of the programming language used.
[12:16] Nick Cerny: "Maybe if you were going to write like a more comprehensive Rust decompiler, that would be helpful."
He emphasizes that EDR capabilities like hooking Windows APIs and monitoring malicious payloads are language-agnostic.
Key Takeaways and Conclusions
Cerny shares his primary insights from the research, emphasizing the ease with which Rust-based malware can evade traditional signature-based antivirus solutions. He highlights the advantage this presents for red teams in developing custom tooling that mimics real-world adversaries more effectively.
[13:45] Nick Cerny: "Developing malware is very advantageous for red teams because you're essentially developing tooling that hasn't been signatured yet by antivirus endpoint detection response solutions... make my red team more effective."
Conclusion
The episode concludes with Cerny's reflections on the evolving malware landscape and the increasing adoption of modern programming languages like Rust. The discussion underscores the ongoing arms race between malware developers and defenders, highlighting the need for adaptive and sophisticated security measures to keep pace with emerging threats.
Additional Information
For listeners interested in exploring the research further, links are provided in the show notes. Feedback on the podcast is encouraged to ensure the delivery of pertinent cybersecurity insights.
Notable Quotes:
- Nick Cerny [02:00]: "Rust kind of appealed to me because it was a low-level language like C, but it also had some kind of cool features like memory safety guarantees and other nuances that I found interesting."
- Nick Cerny [03:30]: "Rust has a unique concept called ownership, which is part of the reason why I liked Rust as opposed to C..."
- Nick Cerny [09:44]: "I believe... if you're a dedicated malware reverse engineer, you're going to figure out what the program is doing no matter what language you choose."
- Nick Cerny [13:45]: "Developing malware is very advantageous for red teams because you're essentially developing tooling that hasn't been signatured yet by antivirus endpoint detection response solutions..."
This comprehensive summary encapsulates the critical discussions and insights shared in the "Crafting Malware with Modern Metals" episode, providing valuable perspectives for cybersecurity professionals and enthusiasts alike.