The APT group DefrayX appears to have launched a new version of its RansomExx malware, rewritten in the Rust programming language — possibly to avoid detection by antivirus software.
According to IBM Security X-Force Threat researchers, that evasion may be successful, at least for now. IBM reported that one sample that it analyzed “was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission” and that “the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform.”
Besides being harder to detect and reverse-engineer, Rust has the advantage of being platform-agnostic. Thus, while the new version of RansomExx runs on Linux, IBM predicts a Windows version will be on its way soon, if it’s not already loose and undetected.
RansomExx is far from the only malware package written in Rust. BlackCat, Hive, and, before that, Buer are prominent examples of malware that was rewritten to avoid detection based on the C/C++ versions.
DefrayX is known for its attacks targeting cloud workloads and specific verticals, including healthcare and manufacturing.