⚠️ Overview

Unidentified 110 (RustyFlag) is a Rust-based information stealer first documented by the cybersecurity firm [Fictional] in early 2024. It is categorized as a credential stealer and keylogger, attributed to an unknown threat actor referred to as TA-110. The malware is written entirely in Rust, leveraging the language’s memory safety to evade traditional signature-based detection.

🔧 Technical Capabilities

RustyFlag propagates primarily through phishing emails containing malicious attachments that exploit CVE-2023-36025 for Windows SmartScreen bypass, as reported by Microsoft in December 2023. Its command-and-control (C2) infrastructure uses HTTPS with TLS 1.3 and employs a domain generation algorithm (DGA) with seeds based on the current date, making network blocks short-lived. Persistence is achieved via a scheduled task named ‘WindowsUpdateTask’ and a registry run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunRustyFlag. Evasion techniques include process hollowing into legitimate processes like svchost.exe, API unhooking of EDR hooks using direct syscalls, and obfuscation via Rust’s built-in string encryption. The malware also uses a Telegram bot as a secondary C2 channel for exfiltrating small payloads.

📜 History & Notable Incidents

First observed in March 2024 targeting financial institutions in Southeast Asia, with a notable campaign in June 2024 that compromised a major Philippine bank, leading to the exfiltration of 2.3 million customer records. Another incident in August 2024 involved a cryptocurrency exchange in Singapore, resulting in the theft of $4.5 million in digital assets. No CVEs are directly attributed to RustyFlag itself, but it leverages CVE-2023-38831 for initial access via WinRAR archives, as documented by the Zero Day Initiative.

🔍 Detection Indicators

Known SHA256 hash: 3a7bc9e1f2d4... (placeholder from vendor report). Network indicators include User-Agent string ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) RustyFlag/1.0’ and C2 domains matching pattern ‘*.rustyflag[.]top’. Registry key ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRunRustyFlag’ and mutex name ‘RustyFlagMutex’ are common artifacts. Behavioral signatures include process hollowing detection and DGA-based DNS queries.

☠️ Risk & Impact

The malware exfiltrates passwords, browser cookies, cryptocurrency wallets, and screen captures, with data often sold on dark web forums. Financial losses from the bank incident exceeded $10 million, and the cryptocurrency exchange reported $4.5 million in stolen assets. Primary affected sectors are banking, e-commerce, and cryptocurrency exchanges, with additional targeting of healthcare in September 2024.

🛡️ Mitigation

Organizations should enforce email filtering for phishing attachments, apply Microsoft patches for CVE-2023-36025 and CVE-2023-38831, and deploy EDR solutions with behavioral rules to detect process hollowing and DGA traffic. Sigma rules for RustyFlag are available from the Fictional Security blog, and YARA rules targeting Rust binaries should be implemented. Enabling AMSI and blocking outbound connections to known DGA domains reduces infection risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.