www.sentinelone.com Open in urlscan Pro
104.26.2.18  Public Scan

URL: https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/
Submission: On May 22 via api from DE — Scanned from DE

Form analysis 6 forms found in the DOM

GET https://www.sentinelone.com

<form autocomplete="off" method="get" action="https://www.sentinelone.com">
  <fieldset>
    <input type="search" name="s" placeholder="Search ..." value="">
    <button class="search" type="submit">
      <span class="light">
        <img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg">
        <img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg">
      </span>
      <span class="dark">
        <img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg">
        <img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg">
      </span>
    </button>
  </fieldset>
</form>

GET https://www.sentinelone.com/

<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
  <label>
    <span class="screen-reader-text">Search ...</span>
    <input type="search" class="search-field" placeholder="Search ..." value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

<form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1528080098">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
    third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1528106973">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
    third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

Text Content

 * 
 * 


 * ABOUT
 * CONTACT
 * VISIT SENTINELONE.COM


Back
 * ABOUT
 * CONTACT
 * VISIT SENTINELONE.COM


Crimeware


CRATEDEPRESSION | RUST SUPPLY-CHAIN ATTACK INFECTS CLOUD CI PIPELINES WITH GO
MALWARE

Juan Andrés Guerrero-Saade / May 19, 2022

By Juan Andrés Guerrero-Saade & Phil Stokes


EXECUTIVE SUMMARY

 * SentinelLabs has investigated a supply-chain attack against the Rust
   development community that we refer to as ‘CrateDepression’.
 * On May 10th, 2022, the Rust Security Response Working Group released an
   advisory announcing the discovery of a malicious crate hosted on the Rust
   dependency community repository.
 * The malicious dependency checks for environment variables that suggest a
   singular interest in GitLab Continuous Integration (CI) pipelines.
 * Infected CI pipelines are served a second-stage payload. We have identified
   these payloads as Go binaries built on the red-teaming framework, Mythic.
 * Given the nature of the victims targeted, this attack would serve as an
   enabler for subsequent supply-chain attacks at a larger-scale relative to the
   development pipelines infected.
 * We suspect that the campaign includes the impersonation of a known Rust
   developer to poison the well with source code that relies on the typosquatted
   malicious dependency and sets off the infection chain.


OVERVIEW

On May 10th, 2022, the Rust dependency community repository crates.io released
an advisory announcing the removal of a malicious crate, ‘rustdecimal’. In an
attempt to fool rust developers, the malicious crate typosquats against the well
known rust_decimal package used for fractional financial calculations. An
infected machine is inspected for the GITLAB_CI environment variable in an
attempt to identify Continuous Integration (CI) pipelines for software
development.

On those systems, the attacker(s) pull a next-stage payload built on the
red-teaming post-exploitation framework Mythic. The payload is written in Go and
is a build of the Mythic agent ‘Poseidon’. While the ultimate intent of the
attacker(s) is unknown, the intended targeting could lead to subsequent larger
scale supply-chain attacks depending on the GitLab CI pipelines infected.




TECHNICAL ANALYSIS

The malicious package was initially spotted by an avid observer and reported to
the legitimate rust_decimal github account. A subsequent investigation by the
crates.io security team and Rust Security Response working group turned up 15
iterative versions of the malicious ‘rustdecimal’ as the attacker(s) tested
different approaches and refinements. Ranging from versions 1.22.0 to 1.23.5,
the malicious crate would function identically to the legitimate version except
for the addition of a single function, Decimal::new. This function contains code
lightly obfuscated with a five byte XOR key.

rustdecimal v1.23.4 decimal.rs XOR decryption function

Focusing on the obfuscated strings provides a pretty clear picture of the
intended effects at this stage of the attack.

The attacker sets a hook on std::panic so that any unexpected errors throw up
the following (deobfuscated) string: “Failed to register this runner. Perhaps
you are having network problems”. This is a more familiar error message for
developers running GitLab Runner software for CI pipelines.

The theme of the error message betrays the attacker’s targeting. The
bit_parser() function checks that the environment variable GITLAB_CI is set;
otherwise, it throws the error “503 Service Unavailable”. If the environment
variable is set, meaning that the infected machine is likely a GitLab CI
pipeline, the malicious crate checks for the existence of a file at
/tmp/git-updater.bin. If the file is absent, then it calls the check_value()
function.

rustdecimal v1.23.4 decimal.rs check_value() pulls the second-stage payload

Depending on the host operating system, check_value() deobfuscates a URL and
uses a curl request to download the payload and save it to /tmp/git-updater.bin.
Two URLs are available:

Linux
https://api.githubio[.]codes/v2/id/f6d50b696cc427893a53f94b1c3adc99/READMEv2.bin
macOS
https://api.githubio[.]codes/v2/id/f6d50b696cc427893a53f94b1c3adc99/README.bin

Once available, rustdecimal issues the appropriate commands to set the binary as
executable and spawn it as a fork. In macOS systems, it takes the extra step of
clearing the quarantine extended attribute before executing the payload.

If any of these commands fail, an expect() routine will throw up a custom error:
“ERROR 13: Type Mismatch”.


SECOND-STAGE PAYLOADS

The second-stage payloads come in ELF and Mach-O form, with the latter compiled
only for Apple’s Intel Macs. The malware will still run on Apple M1 Macs
provided the user has previously installed Rosetta.

Mach-O Technical Details

SHA256 74edf4ec68baebad9ef906cd10e181b0ed4081b0114a71ffa29366672bdee236 SHA1
c91b0b85a4e1d3409f7bc5195634b88883367cad MD5 95413bef1d4923a1ab88dddfacf8b382
Filetype Mach-O 64-bit executable x86_64 Size 6.5mb Filename ‘README.bin’
dropped as ‘/tmp/git-updater.bin’ C&C api.kakn[.]li resolving to 64.227.12.57

Both binaries are built against Go 1.17.8 and are unsigned Poseidon payloads,
agent installations for the Mythic post-exploitation red-teaming framework.
While Mythic has a number of possible agent types, Poseidon is the most suitable
for an attacker looking to compromise both Linux and more recent macOS versions.
Written in Go, Poseidon avoids the dependency problems that Macs have with
Mythic agents written in Python, AppleScript and JXA.

On execution, the second-stage payload performs a number of initial setup
procedures, taking advantage of Go’s goroutines feature to execute these
concurrently. The function profile.Start() then initiates communication with the
C2.

Left: Poseidon source code; Right: disassembly from README.bin sample

Both samples reach out to the same C2 for tasking:

https://api.kakn[.]li

At the time of our investigation, the C2 was unresponsive, but analysis of the
binary and the Poseidon source shows that the payload contains a switch with a
large array of tasking options, including screencapture, keylogging, uploading
and downloading files. On macOS, the operator can choose to persist by either or
both of a LaunchAgent/Daemon and a LoginItem.



Tasking options available to the operator of the Poseidon payload
The Linux version is practically an identical cross-compilation of the same
codebase–



BinDiff comparison of Linux and Mach-O versions

ELF Technical Details

SHA256 653c2ef57bbe6ac3c0dd604a761da5f05bb0a80f70c1d3d4e5651d8f672a872d SHA1
be0e8445566d3977ebb6dbb6adae6d24bfe4c86f MD5 1c9418a81371c351c93165c427e70e8d
Filetype ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically
linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0,
BuildID[sha1]=ce4cf8031487c7afd2df673b9dfb6aa0fd6a680b, stripped Size 6.3mb
Filename ‘READMEv2.bin’ dropped as ‘/tmp/git-updater.bin’ C&C api.kakn[.]li
resolving to 64.227.12.57

There are some notable dependency differences to enable OS specific
capabilities. For example, the Linux version does not rely on RDProcess but adds
libraries like xgb to communicate with the Linux X protocol.

Ultimately, both variants serve as an all-purpose backdoor, rife with
functionality for an attacker to hijack an infected host, persist, log
keystrokes, inject further stages, screencapture, or simply remotely administer
in a variety of ways.


CAMPAIGN CYCLE

The campaign itself is a little more opaque to us. We became aware of this
supply-chain attack via the crates.io security advisory, but by then the
attacker(s) had already staged multiple versions of their malicious crate. In
order to do so, the first few versions were submitted by a fake account ‘Paul
Masen’, an approximation of the original rust_decimal developer Paul Mason.

Cached version of Lib.Rs that still lists the fake ‘Paul Masen’ contributor
account

That account is in turn linked to a barebones Github account ‘MarcMayzl’. That
account is mostly bereft of content except for a single repository with two very
suspect files.

Github account ‘MarcMayzl’ that contributed the malicious repos to crates.io

The files, named tmp and tmp2 are SVG files for the popular Github Readme Stats.
However, these stats are generated in the name of a legitimate, predominantly
Rust-focused, developer. This appears to be an attempt to impersonate a trusted
Rust developer and is likely our best clue as to what the original infection
vector of this campaign may be.

Fake Github Readme Stats impersonating a predominantly Rust developer

If we think through the campaign cycle, the idea of simply typosquatting a
popular dependency isn’t a great way to infect a specific swath of targets
running GitLab CI pipelines. We are missing a part of the picture where code is
being contributed or suggested to a select population that includes a reference
to the malicious typosquatted dependency. This is precisely where impersonating
a known Rust developer might allow the attackers to poison the well for a target
rich population. We will continue to investigate this avenue and welcome
contributions from the Rust developer community in identifying these and further
tainted sources.


CONCLUSION

Software supply-chain attacks have gone from a rare occurrence to a highly
desirable approach for attackers to ‘fish with dynamite’ in an attempt to infect
entire user populations at once. In the case of CrateDepression, the targeting
interest in cloud software build environments suggests that the attackers could
attempt to leverage these infections for larger scale supply-chain attacks.


ACKNOWLEDGEMENTS

We’d like to acknowledge Carol Nichols, the crates.io team, and the Rust
Security Response working group for their help and responsible stewardship. We
also extend a sincere thank you to multiple security researchers that enabled us
to flesh out and analyze this campaign, including Wes Shields.


INDICATORS OF COMPROMISE

MALICIOUS CRATES 

(not to be confused with ‘rust_decimal’)

SHA1 Filename be62b4113b8d6df0e220cfd1f158989bad280a57
rustdecimal-1.22.0.crate.tar.gz 7fd701314b4a2ea44af4baa9793382cbcc58253c
1.22.0/src/decimal.rs bd927c2e1e7075b6ed606cf1e5f95a19c9cad549
rustdecimal-1.22.1.crate.tar.gz 13f2f14bc62de8857ef829319145843e30a2e4ea
1.22.1/src/decimal.rs 609f80fd5847e7a69188458fa968ecc52bea096a
rustdecimal-1.22.2.crate.tar.gz f578f0e6298e1055cdc9b012d8a705bc323f6053
1.22.2/src/decimal.rs 2f8be17b93fe17e2f97871654b0fc2a1c2cb4ed3
rustdecimal-1.22.3.crate.tar.gz b8a9f5bc1f56f8431286461fe0e081495f285f86
1.22.3/src/decimal.rs 051d3e17b501aaacbe1deebf36f67fd909aa6fbc
rustdecimal-1.22.4.crate.tar.gz 5847563d877d8dc1a04a870f6955616a1a20b80e
1.22.4/src/decimal.rs 99f7d1ec6d5be853eb15a8c6e6f09edd0c794a50
rustdecimal-1.22.5.crate.tar.gz a28b44c8882f786d3d9ff18a596db92b7e323a56
1.22.5/src/decimal.rs 5a9e79ff3e87a9c7745e423de8aae2a4da879f08
rustdecimal-1.22.6.crate.tar.gz 90551abe66103afcb6da74b0480894d68d9303c2
1.22.6/src/decimal.rs fd63346faca7da3e7d714592a8222d33aaf73e09
rustdecimal-1.22.7.crate.tar.gz 4add8c27d5ce7dd0541b5f735c37d54bc21939d1
1.22.7/src/decimal.rs 8c0efac2575f06bcc75ab63644921e8b057b3aa1
rustdecimal-1.22.8.crate.tar.gz 16faf72d9d95b03c74193534367e08b294dcb27a
1.22.8/src/decimal.rs ddca9d5a32aebc5a8106b4a3d2e22200898af91d
rustdecimal-1.22.9.crate.tar.gz 34a06b4664d0077f69b035414b8e85e9c2419962
1.22.9/src/decimal.rs 009bb8cef14d39237e0f33c3c088055ce185144f
rustdecimal-1.23.0.crate.tar.gz a6c803fc984fd20ba8c2118300c12d671403f864
1.23.0/src/decimal.rs c5f2a35c924003e43dabc04fc8bbc5f26a736a80
rustdecimal-1.23.1.crate.tar.gz d0fb17e43c66689602bd3147d905d388b0162fc5
1.23.1/src/decimal.rs a14d34bb793e86eec6e6a05cd6d2dc4e72c96de9
rustdecimal-1.23.2.crate.tar.gz a21af73e14996be006e8313aa47a15ddc402817a
1.23.2/src/decimal.rs a4a576ea624f82e4305ca9e83b567bdcf9e15da7
rustdecimal-1.23.3.crate.tar.gz 98c531ba4d75e8746d0129ad7914c64e333e5da8
1.23.3/src/decimal.rs 016c3399c9f4c90af09d028b32f18e70c747a0f6
rustdecimal-1.23.4.crate.tar.gz a0516d583c2ab471220a0cc4384e7574308951af
1.23.4/src/decimal.rs 987112d87e5bdfdfeda906781722d87f397c46e7
rustdecimal-1.23.5.crate.tar.gz 88cbd4f284ba5986ba176494827b7252c826ff75
1.23.5/src/decimal.rs

SECOND-STAGE PAYLOADS

Filename SHA1 README.bin (Mach-O, Intel)
c91b0b85a4e1d3409f7bc5195634b88883367cad READMEv2.bin (ELF)
be0e8445566d3977ebb6dbb6adae6d24bfe4c86f

NETWORK INDICATORS

githubio[.]codes
https://api.githubio[.]codes/v2/id/f6d50b696cc427893a53f94b1c3adc99/READMEv2.bin
https://api.githubio[.]codes/v2/id/f6d50b696cc427893a53f94b1c3adc99/README.bin
api.kakn[.]li
64.227.12[.]57

CI
cloud
Rust
Supply Chain Attack


SHARE



JUAN ANDRÉS GUERRERO-SAADE

Juan Andrés is a Principal Threat Researcher at SentinelOne and an Adjunct
Professor of Strategic Studies at Johns Hopkins School of Advanced International
Studies (SAIS). Juan Andrés was Chronicle Security’s Research Tsar, founding
researcher of the Uppercase team. Prior to joining Chronicle, he was Principal
Security Researcher at Kaspersky’s GReAT team focusing on targeted attacks and
worked as Senior Cybersecurity and National Security Advisor to the Government
of Ecuador. His joint work on Moonlight Maze is now featured in the
International Spy Museum’s permanent exhibit in Washington, DC.

Prev

PUTTING THINGS IN CONTEXT | TIMELINING THREAT CAMPAIGNS


RELATED POSTS


LOCKBIT RANSOMWARE SIDE-LOADS COBALT STRIKE BEACON WITH LEGITIMATE VMWARE
UTILITY

April 27 2022


NOKOYAWA RANSOMWARE | NEW KARMA/NEMTY VARIANT WEARS THIN DISGUISE

April 21 2022


SANCTIONS BE DAMNED | FROM DRIDEX TO MACAW, THE EVOLUTION OF EVIL CORP

February 23 2022


SEARCH

Search ...


SIGN UP

Get notified when we post new content.

*
























Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.

Thanks! Keep an eye out for new content!


RECENT POSTS

 * Putting Things in Context | Timelining Threat Campaigns
   May 11, 2022
 * Vulnerabilities in Avast And AVG Put Millions At Risk
   May 5, 2022
 * Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to
   Sideload PlugX and ShadowPad
   May 2, 2022


LABS CATEGORIES

 * Security Research
 * Crimeware
 * Security & Intelligence
 * Adversary
 * Advanced Persistent Threat


SENTINELLABS

In the era of interconnectivity, when markets, geographies, and jurisdictions
merge in the melting pot of the digital domain, the perils of the threat
ecosystem become unparalleled. Crimeware families achieve an unparalleled level
of technical sophistication, APT groups are competing in fully-fledged cyber
warfare, while once decentralized and scattered threat actors are forming
adamant alliances of operating as elite corporate espionage teams.


LATEST TWEET

 * RT @VentureBeat: Five critical vulnerabilities in #Microsoft Azure Defender
   for #IoT could result in "full network compromise," researchers…53 days ago
 * We just released a research on a supply-chain attack against the Rust
   development community. We referred to it as… https://t.co/T6T3Cp5cWa2 days
   ago
 * The Centre for Cybersecurity Belgium (CCB) kindly invites you to its online
   CCB Share & Connect event – previousl… https://t.co/7yoL03kHyp19 days ago
 * New on #SentinelLabs! We have disclosed 10.0 CVSS vulnerabilities on
   Microsoft’s Azure Defender for IoT allowing u… https://t.co/cEnYqccXrV53 days
   ago
 * RT @VentureBeat: Five critical vulnerabilities in #Microsoft Azure Defender
   for #IoT could result in "full network compromise," researchers…53 days ago
 * We just released a research on a supply-chain attack against the Rust
   development community. We referred to it as… https://t.co/T6T3Cp5cWa2 days
   ago




RECENT POSTS

 * Putting Things in Context | Timelining Threat Campaigns
   May 11, 2022
 * Vulnerabilities in Avast And AVG Put Millions At Risk
   May 5, 2022
 * Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to
   Sideload PlugX and ShadowPad
   May 2, 2022


SIGN UP

Get notified when we post new content.

*
























Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.

Thanks! Keep an eye out for new content!

 * Twitter
 * LinkedIn

©2022 SentinelOne, All Rights Reserved.





PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button Back



Vendor Search Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices


By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.

Cookies Settings Accept All Cookies






We'd like to show you notifications for the latest news and updates.


AllowCancel