Introduction
Accenture Cybersecurity has issued a critical warning regarding the "World Leaks" cybercrime group, which has integrated a new, stealthy custom malware dubbed "RustyRocket" into their attack arsenal. Reported as a sophisticated toolset designed to evade detection, RustyRocket is being utilized in active extortion campaigns. For defenders, the emergence of custom malware like RustyRocket signals a shift away from signature-based reliance. It is no longer enough to rely on antivirus definitions alone; security teams must adopt a behavior-based detection strategy to identify the subtle indicators of compromise (IOCs) associated with these highly adaptable threats.
Technical Analysis
RustyRocket is classified as a custom malicious software developed specifically to support extortion-based operations. Unlike commoditized off-the-shelf ransomware, custom tools like RustyRocket often incorporate obfuscation techniques and anti-analysis methods to bypass traditional Endpoint Detection and Response (EDR) heuristic engines.
The malware is typically deployed after initial access is gained—often through compromised credentials or social engineering—and focuses on maintaining persistence while preparing for data exfiltration and encryption. The "sophistication" noted by Accenture suggests the use of direct system calls, API unhooking, or memory-only execution to avoid disk scanning. Given its role in extortion, the malware likely includes modules for network discovery, credential dumping, and large-scale data staging prior to the execution of the encryption payload.
Defensive Monitoring
To detect threats like RustyRocket that evade standard signatures, security teams must hunt for anomalies in process creation, network connections, and file system activity. The following detection rules and queries are designed to identify the behavioral patterns characteristic of stealthy custom malware.
SIGMA Rules
The following SIGMA rules target common stealth techniques used by sophisticated extortion tools, such as execution from suspicious paths, masquerading, and the use of obfuscated PowerShell commands.
---
title: Suspicious Process Execution from Uncommon Locations
id: 1c2b3a4d-5e6f-4a7b-8c9d-0e1f2a3b4c5e
status: experimental
description: Detects processes executing from uncommon directories often used by custom malware for staging or evasion.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2024/10/25
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\\AppData\\Local\\Temp'
- '\\AppData\\Roaming'
- '\\Public\\'
- '\\Downloads\\'
Image|endswith:
- '.exe'
- '.dll'
filter:
Image|contains:
- '\\Microsoft\\'
- '\\Google\\'
- '\\Mozilla\\'
- '\\ Dropbox\\'
- '\\ Teams\\'
condition: selection and not filter
falsepositives:
- Legitimate software installers or user-initiated downloads
level: medium
---
title: Obfuscated PowerShell Command Line with Hidden Window
id: d4e5f6a7-b8c9-4d0e-8f1a-2b3c4d5e6f7a
status: experimental
description: Detects PowerShell execution with window style flags often used to hide malicious consoles and execution of encoded commands.
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2024/10/25
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\\powershell.exe'
CommandLine|contains:
- ' -WindowStyle '
- ' -w '
- ' -EncodedCommand '
- ' -enc '
- ' -NonInteractive '
filter_legit:
ParentImage|contains:
- '\\System32\\'
- '\\Program Files\\'
- '\\Program Files (x86)\\'
condition: selection and not filter_legit
falsepositives:
- Legitimate system management scripts
level: high
KQL Queries
Use these KQL queries in Microsoft Sentinel or Microsoft 365 Defender to hunt for potential RustyRocket activity or similar extortion toolsets.
// Hunt for processes with signed binaries but suspicious parent-child relationships
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName != "Unknown"
| where FileName in~ ("powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe")
| where FolderPath !contains @"\Program Files"
| where FolderPath !contains @"\System32"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
// Detect rare network connections indicative of C2 beaconing
DeviceNetworkEvents
| where Timestamp >= ago(24h)
| where RemotePort < 1024 or RemotePort in (443, 8080, 8443)
| summarize count() by DeviceName, RemoteUrl, RemotePort
| where count_ <= 5 // Rare connections
| join kind=inner (DeviceProcessEvents | where Timestamp >= ago(24h) | project Timestamp, DeviceName, FileName, ProcessCommandLine) on DeviceName
| project Timestamp, DeviceName, RemoteUrl, RemotePort, FileName, ProcessCommandLine
Velociraptor VQL
These Velociraptor hunt queries help identify potential malware persistence and suspicious execution on endpoints.
-- Hunt for unsigned executables running from user directories
SELECT * FROM glob(
globs='C:\Users\*\*.exe',
accessor='auto'
)
WHERE NOT MTime < now() - 7d
AND NOT Name =~ @'\AppData\Local\(Google|Microsoft|Mozilla|Dropbox)\'
-- Hunt for processes with suspicious command lines referencing encoding
SELECT Pid, Name, CommandLine, Exe
FROM pslist()
WHERE CommandLine =~ @'-Enc' OR CommandLine =~ @'-EncodedCommand'
OR CommandLine =~ @'DownloadString'
PowerShell Verification Script
This script can be used by incident responders to check for suspicious persistence mechanisms or recent file creations in user profiles.
<#
.SYNOPSIS
Checks for suspicious executables created recently in user profiles.
.DESCRIPTION
Scans user directories for .exe or .dll files created in the last 7 days
outside of standard folders.
#>
$CutoffDate = (Get-Date).AddDays(-7)
$SuspiciousPaths = @()
Get-ChildItem -Path "C:\Users\" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Extension -match '\.(exe|dll|bat|vbs|ps1)' -and $_.LastWriteTime -gt $CutoffDate } |
Where-Object { $_.FullName -notmatch '\\AppData\\Local\\(Microsoft|Google|Mozilla|Programs\\)\\' -and
$_.FullName -notmatch '\\AppData\\Roaming\\(Microsoft|Adobe|Dropbox)\\' } |
ForEach-Object {
$fileHash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
[PSCustomObject]@{
Path = $_.FullName
CreationTime = $_.CreationTime
LastWriteTime = $_.LastWriteTime
Size = $_.Length
Hash = $fileHash.Hash
}
$SuspiciousPaths += $_.FullName
}
if ($SuspiciousPaths.Count -gt 0) {
Write-Warning "Suspicious files found:"
$SuspiciousPaths
} else {
Write-Host "No suspicious files found in the last 7 days." -ForegroundColor Green
}
Remediation
In response to the World Leaks RustyRocket threat, organizations should implement the following remediation steps immediately:
- Isolate Affected Systems: If activity is detected, isolate the host from the network immediately to prevent lateral movement and data exfiltration.
- Patch and Harden: Ensure all systems are patched against known vulnerabilities, particularly those in VPN gateways and remote access services, which are common initial access vectors.
- Disable Unnecessary Protocols: Restrict the use of PowerShell and WMI to only necessary administrative accounts. Enable Just-In-Time (JIT) access for privileged credentials.
- Review User Privileges: Audit local administrator group memberships and remove unnecessary rights to limit the blast radius of potential infections.
- Verify Backups: Ensure offline, immutable backups are available and tested. Custom malware like RustyRocket often targets backup software agents to prevent recovery.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.