"New Buer Malware Loader Spread Through DHL Scam Email"
According to researchers at Proofpoint, attackers are using fake DHL shipping emails to trick recipients into opening malicious Word and Excel documents that lead to an infection of 'RustyBuer,' a new variant of the Buer Loader malware family written in the Rust programming language. The DHL-themed phishing emails deliver one of two Buer Loader variants, with the first variant being written in C and the second being written in Rust. RustyBuer's attachments come with more detailed content than those of the other variant written in C to better engage with recipients. Upon further investigation, Proofpoint discovered that a document macro includes the malware payload and requires user interaction. That macro applied an application bypass to avoid detection. Once RustyBuer is loaded, it uses a shortcut file to establish persistence at startup. In some cases, it then distributes a Cobalt Strike beacon. Malicious actors could establish a foothold into their victims' networks through the launch of this type of attack. This article continues to discuss the distribution of RustyBuer malware, possible reasons behind why Buer Loader's authors rewrote their malware in Rust for the DHL scam email campaign, and how organizations can defend themselves against email-borne Buer attacks.
Security Intelligence reports "New Buer Malware Loader Spread Through DHL Scam Email"