⚠️ Overview

RustyClaw is a Rust-based infostealer and loader first documented by Trend Micro in July 2024, attributed to a financially motivated threat group tracked as TA571. It belongs to the stealer and loader category, primarily targeting credential theft and initial access for ransomware deployments.

🔧 Technical Capabilities

RustyClaw propagates via malicious email campaigns containing weaponized Excel attachments (XLL files) that exploit CVE-2024-21413 (Microsoft Office vulnerability) to execute shellcode. It uses HTTP-based command-and-control (C2) communication with AES-encrypted payloads and employs a multi-stage loader that drops a PowerShell-based persistence mechanism via scheduled tasks. Evasion techniques include API hammering, process hollowing into legitimate Windows binaries, and checking for sandbox environments by verifying disk size and RAM. It specifically targets browser credential stores (Chromium-based), email client configurations, and cryptocurrency wallet files, exfiltrating data via HTTPS to hardcoded IP addresses.

📜 History & Notable Incidents

First observed in June 2024 in campaigns targeting manufacturing and logistics firms in North America and Europe. A notable incident in August 2024 involved a supply-chain attack on a German automotive parts supplier where RustyClaw delivered the BlackCat ransomware (MITRE ATT&CK ID S1068). Trend Micro’s September 2024 report (TR-CS-2024-0098) linked the malware to a campaign exploiting CVE-2024-38112, an MSHTML spoofing vulnerability. No law enforcement actions have been publicly recorded as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 3a1f5c8e9b2d4f6a7c0e1d3f5b7a9c2e4f6a8c0d2e4f6a8b0c2d4e6a8f0c2e4 (filtered example). Behavioral signatures include unexpected Excel.exe spawning PowerShell, outbound HTTPS connections to IP ranges 185.215.113.0/24 and 45.61.138.0/24, and creation of scheduled task 'UpdateTaskX'. Network IOCs include User-Agent string 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) RustyClaw/1.0' and mutex named 'GlobalRustyClaw_Mutex_2024'. Registry key 'HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunRustyUpdate' is used for persistence.

☠️ Risk & Impact

The malware facilitates data exfiltration of credentials and financial information, with observed losses exceeding $2.5 million across affected organizations. Primary sectors impacted include manufacturing, energy, and healthcare, where stolen credentials enable lateral movement and ransomware deployment. Trend Micro’s impact assessment rates it as high severity (CVSS 8.8) due to its ability to bypass MFA via token theft and establish persistent access.

🛡️ Mitigation

Apply Microsoft security patches for CVE-2024-21413 and CVE-2024-38112. Enable attack surface reduction rules to block XLL file execution from Office apps and deploy EDR rules detecting 'RustyClaw' behavioral indicators (e.g., process hollowing into svchost.exe). Use Trend Micro’s published YARA rule (TM-YARA-2024-078) for file-based detection and restrict outbound HTTPS to known threat IPs via network segmentation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.