The intention of this page is to collect and highlight malware written in the Rust programming language, so that malware reverse engineers have a collection of Rust samples to practice reversing on. Malware written in Rust is rapidly becoming a significant problem, especially with the advent of high-impact ransomware families such as BlackCat. However, the knowledge in the malware reverse engineering community on how to reverse Rust binaries is still very poor.
I have collected at least one publicly available sample for each family. Definitive identification of malware families is hard, and I am not personally familiar with every malware family here, so I have tried to stick to sample hashes that are directly mentioned in the linked writeups. For each sample mentioned, a download link for that sample on either Malware Bazaar or MalShare is provided - neither of these sites require an account to download samples.
This is not meant to be a comprehensive effort to track the evolution of these malware families, or to collect every writeup about a malware family. I have tried to collect writeups that are technical, or that highlight something new or interesting about the family. The focus is also on malware that has been observed in the wild, so red teaming tools written in Rust won't be listed here, unless they have been seen in the wild by an independent party.
If you would like to contribute or see something that should be changed, please submit a Pull Request on this GitHub repository. Alternatively, you can Contact me directly.
It's difficult to definitively identify CargoBay samples, as public information about it is limited. According to the publicly available contents of the 2022-11-29 IBM X-Force report, the source code of CargoBay is based on the source code from the book Black Hat Rust: https://github.com/skerkour/black-hat-rust
This sample (3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f) isn't one of the hashes mentioned in the linked reports; however, due to the nature of this malware, there are a lot of unique samples out there, and I was able to find this one after some hunting.
There is a lack of good open reporting on Zeon Ransomware, so I will clarify a few potential points of confusion in the notes here.
There are samples which have been identified as Zeon Ransomware, but which are written with Python rather than Rust. These samples are packaged via PyInstaller, and obfuscated with PyArmor. For example, c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a (MalShare) is a PyInstaller file which drops a nearly identical ransom note as the highlighted Rust sample above, fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590 The ransom note of both samples say "All of your files are currently encrypted by ZEON strain", and link to the same Tor site (http[:]//zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd[.]onion), for victims to begin the payment process.
There is reporting which states that Zeon Ransomware is connected to Royal Ransomware, such as CISA's advisory on Royal Ransomware. However, I have not been able to find any reporting that states Royal Ransomware is written in Rust, nor any Rust samples of Royal Ransomware.
