Accenture Cybersecurity has issued a critical warning regarding the "World Leaks" cybercrime group, which has integrated a new, stealthy custom toolset named ‘RustyRocket’ into their extortion operations. Unlike commodity ransomware that relies on off-the-shelf encryptors, RustyRocket represents a sophisticated, bespoke development designed specifically to evade standard endpoint detection and response (EDR) solutions.
For defenders, this shift is significant. The use of custom malware often indicates a higher level of operational maturity and intent to target organizations with mature security postures. The primary risk is not just encryption but stealthy data exfiltration leading to double-extortion schemes. Security teams must immediately assume that traditional signature-based defenses may fail against this threat and pivot to behavioral hunting and anomaly detection.
Technical Analysis
Threat Actor and Toolset
- Threat Actor: World Leaks (Ransomware/Extortion group)
- Malware Tool: RustyRocket (Custom payload)
- Attack Vector: Initial access typically follows phishing, compromised credentials, or valid account usage, followed by the deployment of the custom tool.
Malware Behavior and Mechanics
RustyRocket is characterized as a sophisticated, stealthy toolset. While specific CVEs are not applicable (as this is malware-based exploitation rather than a software vulnerability), the threat focuses on post-exploitation activities.
- Execution & Evasion: The malware likely employs process injection, API hooking, or direct system calls to bypass user-mode hooks (common in EDRs). It may masquerade as legitimate system processes to blend in.
- Encryption & Exfiltration: As an extortion tool, it attempts to encrypt sensitive files while simultaneously exfiltrating data to a C2 server. The "sophisticated" descriptor suggests it targets specific file types or utilizes partial encryption to speed up the process and avoid triggering large-volume I/O alerts.
- Persistence: The tool likely establishes persistence via Scheduled Tasks, Registry Run keys, or WMI event subscriptions, often using obfuscated PowerShell scripts to maintain access.
Exploitation Status
- Status: Confirmed Active Exploitation (in the wild)
- Availability: Custom, private tool (not publicly available as a commodity).
Detection & Response
Given the custom nature of RustyRocket, defenders must rely on behavioral anomalies rather than static signatures. The following detection logic focuses on the likely TTPs of a stealthy extortion tool: unusual process execution patterns, mass file modifications, and obfuscated command lines.
SIGMA Rules
---
title: Potential RustyRocket Custom Tool Execution
id: 8a4d3f21-1b5c-4e8f-9a0d-2f3c4b5e6d7f
status: experimental
description: Detects potential execution of custom malware like RustyRocket based on unsigned binaries running from suspicious paths or spawning from system processes.
references:
- https://www.infosecurity-magazine.com/news/world-leaks-ransomware-rustyrocket/
author: Security Arsenal
date: 2025/04/10
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\Temp\'
- '\AppData\Local\Temp\'
- '\Public\'
Signed: 'false'
filter_legit:
Image|contains:
- '\Program Files\'
- '\Program Files (x86)\'
- '\Windows\System32\'
- '\Windows\SysWOW64\'
condition: selection and not filter_legit
falsepositives:
- Legitimate software installers
- Temporary build artifacts
level: high
---
title: PowerShell Obfuscation Common in Custom Loaders
id: 9b5e4f32-2c6d-5f9g-0b1e-3g4h5i6j7k8l
status: experimental
description: Detects highly obfuscated PowerShell command lines often used to load custom payloads like RustyRocket.
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2025/04/10
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection_obfu:
CommandLine|contains:
- 'EncryptedData'
- 'ToBase64String'
- 'FromBase64String'
- 'IEX '
- 'Invoke-Expression'
selection_suspicious_flags:
CommandLine|contains:
- ' -EncodedCommand '
- ' -Enc '
- ' -W '
- ' -NonI '
- ' -NoP '
condition: all of selection_*
falsepositives:
- System management scripts
- Legitimate admin automation
level: medium
---
title: Mass File Modification Indicator
id: 0c1d2e3f-4g5h-6i7j-8k9l-0m1n2o3p4q5r
status: experimental
description: Detects processes modifying a high volume of files, indicative of encryption activity like RustyRocket.
references:
- https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2025/04/10
tags:
- attack.impact
- attack.t1486
logsource:
category: file_change
product: windows
detection:
selection:
TargetFilename|contains:
- ':\Users\'
- ':\Program Files\'
condition: selection | count(TargetFilename) by Image > 50
timeframe: 1m
falsepositives:
- System updates
- Backup software
- Code compilation
level: critical
KQL (Microsoft Sentinel / Defender)
This hunt query identifies processes creating high volumes of file modification events or handle operations, a common sign of ransomware activity, and correlates it with unsigned binaries.
// Hunt for RustyRocket Encryption Behavior
let TimeWindow = 1h;
let FileChangeThreshold = 100;
DeviceFileEvents
| where Timestamp > ago(TimeWindow)
| where ActionType in ("FileCreated", "FileModified")
| summarize FileCount = count() by DeviceId, InitiatingProcessAccountId, InitiatingProcessFileName, InitiatingProcessFolderPath
| where FileCount > FileChangeThreshold
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| project DeviceId, FileName, SHA256, IsSigned = iif(IsSigned == true, "Signed", "Unsigned")
) on DeviceId
| where IsSigned == "Unsigned" or InitiatingProcessFolderPath contains "\\Temp\\"
| project DeviceId, InitiatingProcessFileName, InitiatingProcessFolderPath, FileCount, IsSigned, SHA256
Velociraptor VQL
This artifact hunts for processes that are not signed by a reputable certificate or are running from suspicious temporary locations, which aligns with the "custom" and "stealthy" nature of RustyRocket.
-- Hunt for Unsigned or Suspicious Processes (RustyRocket Indicators)
SELECT
Pid,
Name,
Exe,
CommandLine,
Username,
Sig.Signer,
Sig.Status
FROM pslist()
WHERE
-- Filter for processes running from user temp directories or public folders
Exe =~ 'C:\\Users\\.*\\AppData\\Local\\Temp\\.*' OR
Exe =~ 'C:\\Users\\Public\\.*'
-- Include unsigned processes
OR Sig.Status != 'VALID'
-- Exclude common false positives like browsers or system tools if necessary
AND Name NOT IN ('chrome.exe', 'firefox.exe', 'msedge.exe', 'iexplore.exe')
Remediation Script (PowerShell)
Use this script on suspected compromised endpoints to immediately isolate the machine and kill suspicious unsigned processes commonly associated with custom payloads. Note: Test in a non-production environment first.
<#
.SYNOPSIS
Isolation and Remediation Script for RustyRocket Response.
.DESCRIPTION
Disables network adapters and terminates suspicious unsigned processes.
#>
Write-Host "[*] Starting RustyRocket Incident Response Protocol..." -ForegroundColor Cyan
# 1. Disable Network Adapters to prevent further exfiltration/propagation
Write-Host "[*] Disabling all physical network interfaces for isolation..."
Get-NetAdapter -Physical | Where-Object { $_.Status -eq 'Up' } | Disable-NetAdapter -Confirm:$false
Write-Host "[+] Network adapters disabled." -ForegroundColor Green
# 2. Identify and Kill Suspicious Processes (Unsigned, running from Temp)
Write-Host "[*] Hunting for unsigned processes in Temp directories..."
$suspiciousProcesses = Get-WmiObject Win32_Process |
Where-Object {
$_.ExecutablePath -match '\\AppData\\Local\\Temp\\' -or
$_.ExecutablePath -match '\\Users\\Public\\'
}
if ($suspiciousProcesses) {
foreach ($proc in $suspiciousProcesses) {
$filePath = $proc.ExecutablePath
$sig = (Get-AuthenticodeSignature $filePath).Status
if ($sig -ne 'Valid') {
Write-Host "[!] Terminating suspicious unsigned process: $($proc.Name) (PID: $($proc.ProcessId))" -ForegroundColor Yellow
Stop-Process -Id $proc.ProcessId -Force -ErrorAction SilentlyContinue
}
}
} else {
Write-Host "[+] No suspicious unsigned processes found in Temp paths."
}
Write-Host "[*] Remediation complete. Machine is isolated." -ForegroundColor Cyan
Remediation
- Immediate Isolation: Upon detection, isolate affected hosts from the network immediately to stop data exfiltration and lateral movement.
- Credential Reset: Assume credential theft. Reset all credentials for accounts used on the affected machines, especially privileged accounts.
- Forensic Acquisition: Capture a full memory image and disk clone of affected systems before performing a wipe and rebuild. This is critical for analyzing the custom RustyRocket payload to understand its specific C2 mechanisms.
- Blocking Indicators: While custom malware changes hashes, review network logs for the C2 infrastructure used during the breach and block the associated IPs and Domains at the firewall.
- Restore from Backups: Rebuild the OS from scratch (do not attempt to clean the infection). Restore data from offline, immutable backups.
- Hunt for Persistence: After restoration, audit Scheduled Tasks, WMI subscriptions, and Registry Run keys to ensure no persistence mechanisms survived the rebuild (e.g., if domain admin credentials were not fully reset).
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.