Digging through Rust to find Gold: Extracting Secrets from Rust

Keypoints

• Modern compiled languages like Rust, Golang, and Nim are increasingly used to build cross-platform malware, complicating defender efforts.
• Rust adoption in malware is rising (examples include BlackCat ransomware and the open-source Luca Stealer), enabling researchers to study Rust-based threats.
• Rust projects build with cargo/rustc produce embedded strings, dependency paths (cargo registry), and PDB paths that can leak build-time information useful for analysis.
• Reverse engineering Rust binaries requires different techniques: locating the user main via std::rt::lang_start_internal, fixing overlapping/non-null-terminated strings, and clearing data structures in Ghidra.
• Rust’s lack of a stable ABI, frequent compiler changes, built-in runtime checks, and low-level features (no-std, inline assembly, pointer use) increase binary variability and evasion options.
• Static analysis has limitations for Rust malware; the author recommends dynamic analysis (debugging, emulation, sandboxes) and sharing open-source tooling to accelerate detection and reverse engineering.