Full Report
Cybersecurity researchers have discovered a malicious Rust package that's capable of targeting Windows, macOS, and Linux systems, and features malicious functionality to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The Rust crate, named "evm-units," was uploaded to crates.io in mid-April 2025 by a user named "ablerust,"
Analysis Summary
# Tool/Technique: evm-units Malicious Rust Crate
## Overview
A malicious Rust package named `evm-units`, uploaded to crates.io by user "ablerust," designed to compromise developer machines, particularly those in the Web3/Cryptocurrency space. It masquerades as an Ethereum Virtual Machine (EVM) unit helper tool to achieve stealthy, cross-platform execution of a second-stage payload.
## Technical Details
- Type: Malware/Supply Chain Compromise
- Platform: Windows, macOS, Linux
- Capabilities: Downloads and executes OS-specific malware payloads; evasion checks against Qihoo 360 antivirus (`qhsafetray.exe`).
- First Seen: Mid-April 2025 (Upload date to crates.io)
## MITRE ATT&CK Mapping
This initial dropper/downloader activity primarily maps to initial access and execution stages:
- **TA0001 - Initial Access**
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Windows)
- T1059.006 - Python (Often used for initial scripting, or implied context depending on final payload)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Payload delivery via harmless function)
## Functionality
### Core Capabilities
- **Supply Chain Infection:** Delivered via the Rust package manager ecosystem (crates.io), potentially pulled in transitively by dependent packages like `uniswap-utils`.
- **Cross-Platform Payload Delivery:** Executes OS-specific logic to fetch a next-stage payload.
- **Masquerading:** Disguised as an EVM helper utility, attempting to blend in on developer systems.
- **Evasion Check:** Explicitly checks for the presence of the Qihoo 360 antivirus process (`qhsafetray.exe`).
### Advanced Features
- **Antivirus Evasion:** If Qihoo 360 is detected, the execution method is slightly altered (e.g., direct PowerShell invocation instead of VBS wrapper). If not detected, it executes normally, showing benign output ("return the Ethereum version number").
- **Persistent Execution (Linux/macOS):** Uses the `nohup` command to execute the downloaded script (`init` or `/tmp/init`) in the background, ensuring the process survives user logout.
- **Staging:** The functionality within `get_evm_version()` is used to download and execute the actual malware payload from a remote URL.
## Indicators of Compromise
- File Hashes: None provided in the context.
- File Names:
- Linux Payload: `init` (in `/tmp/init`)
- macOS Payload: `init`
- Windows Payload: `init.ps1` (PowerShell script)
- Registry Keys: Not specified.
- Network Indicators:
- C2/Download Server: `download[.]videotalks[.]xyz` (Defanged)
- Behavioral Indicators:
- Execution of system binary `nohup` appended to commands (Linux/macOS).
- Creation of VBS wrapper scripts on Windows environments to hide PowerShell execution.
- Monitoring for the process name `qhsafetray.exe`.
## Associated Threat Actors
The actor is identified by the publishing user name: **ablerust**. The targeting profile (Web3/crypto focus coupled with specific targeting of a Chinese AV product) suggests a group potentially active in Asia or focused on East Asian crypto markets.
## Detection Methods
- **Signature-based detection:** Signatures targeting the package name (`evm-units` or `uniswap-utils`) on dependency manifests or build logs.
- **Behavioral detection:** Monitoring for Rust initialization routines that attempt network connections to suspicious domains or spawn shell commands (`nohup`, `osascript`, or hidden PowerShell execution) immediately after package initialization.
- **YARA rules if available:** Not available, but rules could be developed around static strings or binary signatures of the downloaded payloads.
## Mitigation Strategies
- **Prevention measures:** Strict validation of dependencies via public package repositories; usage of private/internal proxy repositories; implementing dependency checksum verification.
- **Hardening recommendations:** Employing supply chain security tools to vet package authors, download history, and code contents *before* integration into development environments. Developers should be cautious of installing packages with high download counts but recent publication dates from unknown authors in niche domains.
## Related Tools/Techniques
- Other malicious crates targeting the Rust ecosystem.
- General supply chain attacks exploiting dependency confusion or typo-squatting in package managers (npm, PyPI, RubyGems).
- Malware campaigns specifically targeting cryptocurrency users or developers (e.g., targeting wallet credentials).