New '01flip' Ransomware, Written in Rust, Targets Critical Infrastructure in APAC
Cross-Platform "01flip" Ransomware Written in Rust Targets Critical Infrastructure with Sliver C2
Full Report
Executive Summary
Security researchers have identified a new, sophisticated ransomware strain named 01flip. This malware is notable for being written in the Rust programming language, which allows it to be compiled for and run on both Windows and Linux operating systems. The ransomware is being used in highly targeted, manual attacks against critical infrastructure organizations in the Asia-Pacific (APAC) region. The attackers' methodology involves exploiting exposed public services for initial access, followed by the deployment of the Sliver command-and-control (C2) framework to facilitate lateral movement and reconnaissance. The use of Rust contributes to the malware's stealth, with Linux variants reportedly evading detection for months. This campaign underscores the increasing adoption of modern programming languages by threat actors to create more potent and resilient malware.
Threat Overview
The 01flip ransomware campaign represents a significant threat due to its combination of targets (critical infrastructure), tactics (manual, hands-on-keyboard attacks), and technology (cross-platform, evasive malware). Unlike automated, widespread ransomware campaigns, these attacks are deliberate and tailored to the victim's environment. The choice of Rust as a development language is a key concern, as it offers memory safety features that can make traditional vulnerability analysis more difficult, and its growing popularity means defenders will see more of it.
The attackers' use of the Sliver C2 framework is also noteworthy. Sliver is a legitimate, open-source post-exploitation toolkit similar to Cobalt Strike. Its use by threat actors allows them to blend in with legitimate red team activity and leverage a powerful, feature-rich platform for controlling compromised systems.
Technical Analysis
The attack chain follows a common pattern for targeted ransomware intrusions.
- Initial Access: Attackers gain entry by exploiting an unspecified, exposed service on the victim's network (
T1190 - Exploit Public-Facing Application). This could be a vulnerability in a VPN, RDP, or other internet-facing application. - Post-Exploitation & C2: Once inside, the attackers deploy the Sliver C2 framework. This gives them a stable command-and-control channel to the compromised network (
T1071.001 - Web Protocols). - Reconnaissance & Lateral Movement: Using Sliver, the attackers perform internal reconnaissance to map the network, identify high-value targets like domain controllers and file servers, and escalate privileges (
T1046 - Network Service Discovery,T1078 - Valid Accounts). - Impact: Once they have achieved sufficient access, they deploy the 01flip ransomware across the network to encrypt files on both Windows and Linux systems (
T1486 - Data Encrypted for Impact). The cross-platform nature of the Rust-based payload allows them to impact a wider range of systems with a single toolset.
Impact Assessment
The targeting of critical infrastructure in the APAC region is a major cause for concern. A successful ransomware attack on an energy, water, or transportation provider could lead to significant public disruption, economic damage, and potential risks to public safety. The ability of the Linux variant to remain undetected for months suggests that attackers could have a long dwell time within these sensitive networks, allowing for extensive data theft and reconnaissance before the final encryption stage is triggered. This campaign is a clear example of the convergence of cybercrime and threats to national security.
IOCs
No specific Indicators of Compromise for 01flip ransomware were provided in the source articles.
Cyber Observables for Detection
| Type | Value | Description |
|---|---|---|
| network_traffic_pattern | Outbound connections matching Sliver C2 profiles | Sliver has known default C2 profiles (e.g., using specific User-Agents, URI paths). Monitor for these patterns. |
| file_name | Binaries with Rust-specific libraries | Executables compiled with Rust often contain specific string artifacts or library dependencies that can be signatured. |
| process_name | sliver-client or sliver |
While likely renamed, the presence of processes with these names is a direct indicator of Sliver usage. |
| log_source | EDR/Sysmon logs | Monitor for execution of binaries from untrusted locations, especially on Linux systems where new executables are less common. |
Detection & Response
- C2 Detection: Use network security monitoring tools to look for beaconing activity consistent with the Sliver C2 framework. Integrate threat intelligence feeds that provide known Sliver C2 infrastructure IOCs. This is a form of Network Traffic Analysis (D3-NTA).
- Linux Endpoint Monitoring: Enhance monitoring on critical Linux servers. Deploy EDR for Linux and monitor for the execution of new, untrusted binaries, suspicious cron jobs, and unexpected network connections. This is key to reducing the long dwell times reported.
- Behavioral Analysis: On both Windows and Linux, use security tools that can detect ransomware behavior (mass file modification/encryption) based on heuristics rather than just signatures, as the Rust payload may be novel.
Mitigation
- Patch Exposed Services: The first line of defense is to eliminate the initial access vector. Maintain a robust vulnerability management program to patch all internet-facing systems and services. See Software Update (D3-SU).
- Multi-Factor Authentication (MFA): Enforce MFA on all external access points (VPN, RDP, etc.) to prevent credential-based attacks.
- Network Segmentation: Segment the network to prevent attackers from moving laterally from the initial point of compromise to critical systems. Isolate OT networks from IT networks.
- Application Allowlisting: On critical servers, implement application allowlisting to prevent the execution of unauthorized binaries like Sliver or the 01flip ransomware. This is an application of Executable Allowlisting (D3-EAL).
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Patch internet-facing services to prevent the initial access vector used by the attackers.
Mapped D3FEND Techniques:
Execution Prevention
Use application allowlisting to prevent the execution of untrusted binaries like Sliver and the 01flip ransomware.
Filter Network Traffic
Monitor and filter network traffic for known Sliver C2 patterns to detect and block command-and-control channels.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
To detect the 01flip campaign, Network Traffic Analysis is crucial for identifying the Sliver C2 framework used for post-exploitation. Security teams should proactively hunt for Sliver's network signatures. This includes monitoring for default TLS certificate subjects, specific User-Agent strings, and URI patterns used by Sliver's default listeners. Open-source threat intelligence and tools like JARM and JA3/S can be used to fingerprint and identify Sliver's TLS traffic. By creating detection rules in NIDS/NIPS systems (like Suricata or Zeek) for these specific network artifacts, organizations can spot the C2 channel early in the attack lifecycle, long before the 01flip ransomware is deployed. This provides a critical window to respond and evict the attacker from the network.
Executable Allowlisting is a powerful defense against manually deployed ransomware like 01flip. On critical infrastructure systems, particularly Linux servers which often have a very stable software set, organizations should implement a strict allowlisting policy. This policy would prevent any binary from executing unless its hash is on a pre-approved list. When the attackers attempt to drop and run the Sliver C2 implant or the 01flip ransomware binary, the operating system would block the execution. This control is highly effective at stopping novel or custom malware written in languages like Rust, as it doesn't rely on signatures. While challenging to implement broadly, it is a highly effective control for high-value, static systems common in critical infrastructure environments.
The 01flip campaign begins by exploiting exposed services. This underscores the fundamental importance of a robust software update and vulnerability management program. Critical infrastructure organizations must have a complete and accurate inventory of all internet-facing assets and services. These assets must be continuously scanned for vulnerabilities, and a risk-based approach must be used to prioritize patching. Any vulnerability in a public-facing service should be treated as a high-priority risk and patched within an aggressive timeframe. By closing these initial access vectors, organizations can prevent the entire attack chain from starting, rendering the sophistication of the 01flip ransomware irrelevant.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats