Technical Details on CrateDepression Rust Supply-Chain Attack Campaign

After the removal and investigation of a malicious Rust crate, cyber defenders should ensure their projects are not affected.
Technical Details on CrateDepression Rust Supply-Chain Attack Campaign
Share on twitter
Share on linkedin

Context

On May 19, 2022, security researchers at Sentinel Labs released technical details of a campaign targeting the Rust development community with a supply-chain attack by leveraging a malicious crate. The Rust Security Response Working Group released an advisory regarding the malicious crate on May 10, 2022. The malicious crate was named “rustdecimal,” likely intended to mimic the popular “rust[_]decimal” crate.

According to Sentinel Labs’ investigation, the attack checks for environment variables that indicate a singular interest in GitLab Continuous Integration (CI) pipelines, then serves a second-stage payload to infected CI pipelines using Go binaries built on the Mythic framework. Sentinel Labs noted that the attack could enable large-scale supply chain attacks and that the campaign likely impersonates a known Rust developer to inject malicious code through a typo-squatted malicious dependency to initiate the infection.

Mitigation Options

The Rust Security Response Working Group removed the malicious crate on May 10, 2022. According to their statement, the legitimate popular “rust[_]decimal” crate was not compromised. Organizations should remain proactive and take the following defensive actions:

  • Check if any development projects running GitLab CI pipelines relied on the malicious “rustdecimal” crate since March 2022. If so, the CI pipeline should be treated as compromised
  • Regularly audit rust dependencies for known issues and malicious changes
  • Report any suspicious behavior in Rust crates to the Rust Security Response Working Group to help protect the community

Indicators of Compromise

Sentinel Labs released the following IOCs of the campaign:

Indicator Type Notes
githubio[.]codes File Name Network Indicator
https[://]api[.]githubio[.]codes/v2/id/f6d50b696cc427893a53f94b1c3adc99/READMEv2[.]bin File Name Network Indicator
https[://]api[.]githubio[.]codes/v2/id/f6d50b696cc427893a53f94b1c3adc99/README[.]bin File Name Network Indicator
Api[.]kakn[.]li C2 Network Indicator
64[.]227[.]12[.]57 Domain Network Indicator
be62b4113b8d6df0e220cfd1f158989bad280a57 SHA1 Malicious Crates
7fd701314b4a2ea44af4baa9793382cbcc58253c SHA1 Malicious Crates
bd927c2e1e7075b6ed606cf1e5f95a19c9cad549 SHA1 Malicious Crates
13f2f14bc62de8857ef829319145843e30a2e4ea SHA1 Malicious Crates
609f80fd5847e7a69188458fa968ecc52bea096a SHA1 Malicious Crates
f578f0e6298e1055cdc9b012d8a705bc323f6053 SHA1 Malicious Crates
2f8be17b93fe17e2f97871654b0fc2a1c2cb4ed3 SHA1 Malicious Crates
b8a9f5bc1f56f8431286461fe0e081495f285f86 SHA1 Malicious Crates
051d3e17b501aaacbe1deebf36f67fd909aa6fbc SHA1 Malicious Crates
5847563d877d8dc1a04a870f6955616a1a20b80e SHA1 Malicious Crates
99f7d1ec6d5be853eb15a8c6e6f09edd0c794a50 SHA1 Malicious Crates
a28b44c8882f786d3d9ff18a596db92b7e323a56 SHA1 Malicious Crates
5a9e79ff3e87a9c7745e423de8aae2a4da879f08 SHA1 Malicious Crates
90551abe66103afcb6da74b0480894d68d9303c2 SHA1 Malicious Crates
fd63346faca7da3e7d714592a8222d33aaf73e09 SHA1 Malicious Crates
4add8c27d5ce7dd0541b5f735c37d54bc21939d1 SHA1 Malicious Crates
8c0efac2575f06bcc75ab63644921e8b057b3aa1 SHA1 Malicious Crates
16faf72d9d95b03c74193534367e08b294dcb27a SHA1 Malicious Crates
ddca9d5a32aebc5a8106b4a3d2e22200898af91d SHA1 Malicious Crates
34a06b4664d0077f69b035414b8e85e9c2419962 SHA1 Malicious Crates
009bb8cef14d39237e0f33c3c088055ce185144f SHA1 Malicious Crates
a6c803fc984fd20ba8c2118300c12d671403f864 SHA1 Malicious Crates
c5f2a35c924003e43dabc04fc8bbc5f26a736a80 SHA1 Malicious Crates
d0fb17e43c66689602bd3147d905d388b0162fc5 SHA1 Malicious Crates
a14d34bb793e86eec6e6a05cd6d2dc4e72c96de9 SHA1 Malicious Crates
a21af73e14996be006e8313aa47a15ddc402817a SHA1 Malicious Crates
a4a576ea624f82e4305ca9e83b567bdcf9e15da7 SHA1 Malicious Crates
98c531ba4d75e8746d0129ad7914c64e333e5da8 SHA1 Malicious Crates
016c3399c9f4c90af09d028b32f18e70c747a0f6 SHA1 Malicious Crates
a0516d583c2ab471220a0cc4384e7574308951af SHA1 Malicious Crates
987112d87e5bdfdfeda906781722d87f397c46e7 SHA1 Malicious Crates
88cbd4f284ba5986ba176494827b7252c826ff75 SHA1 Malicious Crates
rustdecimal-1[.]22[.]0[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]0/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]22[.]1[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]1/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]22[.]2[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]2/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]22[.]3[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]3/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]22[.]4[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]4/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]22[.]5[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]5/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]22[.]6[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]6/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]22[.]7[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]7/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]22[.]8[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]8/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]22[.]9[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]22[.]9/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]23[.]0[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]23[.]0/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]23[.]1[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]23[.]1/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]23[.]2[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]23[.]2/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]23[.]3[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]23[.]3/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]23[.]4[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]23[.]4/src/decimal[.]rs File Name Malicious Crates
rustdecimal-1[.]23[.]5[.]crate[.]tar[.]gz File Name Malicious Crates
1[.]23[.]5/src/decimal[.]rs File Name Malicious Crates
c91b0b85a4e1d3409f7bc5195634b88883367cad SHA1 -Mach-0
-Second Stage Payloads
be0e8445566d3977ebb6dbb6adae6d24bfe4c86f SHA1 -ELF
-Second Stage Payloads
README[.]bin File Name -Mach-0
-Second Stage Payloads
READMEv2[.]bin File Name -ELF

-Second Stage Payloads

More Recent Blog Posts