LabubaRAT: NVIDIA Masquerade and Rust-Based Footholds
Just caught the Blackpoint Cyber analysis on LabubaRAT, a new Rust-based RAT that is explicitly masquerading as NVIDIA software. Given how common NVIDIA utilities are in dev and gaming environments, this is a clever way to blend in and establish that 'reusable foothold' the researchers mentioned.
Since it's written in Rust, we should expect standard cross-platform compilation and potentially heavier obfuscation. The key here is the masquerading. Threat actors are likely relying on users ignoring NVIDIA*.exe processes in Task Manager or allowing them through firewalls.
For detection, simple hash matching won't work if they recompile. We need to focus on signature validation and path anomalies. If you see NVIDIA processes running from user directories or temp folders, it's game over.
Here is a quick PowerShell snippet to audit running NVIDIA processes and verify their digital signatures. If the status isn't 'Valid', you need to investigate immediately:
Get-Process -Name "*nvidia*" -ErrorAction SilentlyContinue | ForEach-Object {
$fileInfo = Get-Item -Path $_.Path -ErrorAction SilentlyContinue
if ($fileInfo) {
$signature = Get-AuthenticodeSignature -FilePath $fileInfo.FullName
if ($signature.Status -ne 'Valid') {
Write-Host "ALERT: Unsigned NVIDIA process detected! PID: $($_.Id), Path: $($_.Path)" -ForegroundColor Red
}
}
}
Has anyone integrated specific driver signature enforcement policies to stop this specific type of masquerading, or are we relying too much on EDR heuristics?
We've seen a similar uptick in hardware-impersonating malware. Validating the signature is a good first step, but we've gone a step further with WDAC (Windows Defender Application Control) policies. By only allowing signed NVIDIA drivers from the specific Microsoft Hardware Compatibility Publisher list, we block these unsigned masquerades entirely. It's a bit of a management overhead, but it stops this Rust-based stuff cold before it can even execute.
This feels targeted at crypto-miners or workstation-heavy environments to me. If LabubaRAT profiles the host as mentioned, they are likely checking for GPU specs. I'm setting up a Sigma rule to trigger on any process with 'nvidia' in the name attempting to establish outbound C2 connections on non-standard ports.
detection:
selection:
Image|contains: 'nvidia'
DestinationPort|notin: [80, 443, 8080]
condition: selection
Interesting that they chose Rust. It suggests they might expand to Linux later if they haven't already. From an IR perspective, profiling the host means they are likely running systeminfo or checking WMI for GPU details. Keep an eye on wmic calls executed by a process claiming to be a driver utility.
The masquerading angle is a great pivot for detection. Threat actors often drop these fake NVIDIA utilities in user directories hoping users overlook them. I'd recommend scanning common download or temp folders for executables claiming to be signed by NVIDIA but running from a non-standard path. You can automate this check easily:
Get-ChildItem -Path $env:TEMP -Recurse -Filter *.exe | Get-AuthenticodeSignature | Where-Object {$_.SignerCertificate.Subject -like "*NVIDIA*" -and $_.Status -eq 'Valid'}
If you find valid NVIDIA sigs in TEMP, it's almost certainly a trojan.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access