Cybersecurity researchers described a new malspam campaign involving a new variant of a malware loader Buer. Dubbed “RustyBuer,” the loader is written in Rust and is another example of how malware authors are constantly honing their toolsets.
Dubbed “RustyBuer,” the malware is propagated via emails made to look like shipping notices from DHL Support. Cybercriminals have targeted no fewer than 200 organizations since early April.
“The new Buer variant is written in Rust, an efficient and easy-to-use programming language that is becoming increasingly popular,” Proofpoint researchers said in a report.
By rewriting Buer in Rust the threat actors can better evade existing Buer detection solutions.
Used since August 2019, Buer is a malware-as-a-service tool sold on underground forums and used as a first-stage downloader to deliver additional payloads. The previous version of Buer was coded entirely in C and used a control panel written in .NET Core. It compromised targets’ Windows systems and allowed the attacker to conduct further malicious activity. Many hacker groups used Buer. For example, in September 2020, Ryuk ransomware operators used Buer as a malware dropper for initial access in a spam campaign.
In the new maldoc campaign involving DHL-themed phishing emails, attackers distribute weaponized Word or Excel documents that deliver RustyBuer.
Buer is now capable of avoiding detection by tools that are used to detect features of the malware variant written in C:
“The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates,” the researchers said.
Proofpoint researchers say attackers can use Buer as a first-stage loader for other kinds of malware, including Cobalt Strike and ransomware. After gaining an initial foothold in target network, they can sell the access to such compromised networks to other actors (“access-as-a-service” scheme).
“When paired with the attempts by threat actors leveraging RustyBuer to further legitimize their lures, it is possible the attack chain may be more effective in obtaining access and persistence,” the researchers concluded.