"Rust-Based Buer Malware Variant Emerges"
The cybercriminals behind the Buer malware loader are using a new variant called RustyBuer. According to researchers with Proofpoint, the variant is rewritten in the Rust programming language to evade detection and increase the effectiveness of the threat actors' attack chain. RustyBuer is considered unusual as it is not common to see malware rewritten in a completely different way. Rust is growing in popularity due to its increased efficiency, ease of use, and broad range of features. Buer is a downloader used as a foothold in compromised networks to distribute additional malicious payloads. The loader is available for purchase on underground marketplaces through a malware-as-a-service (MaaS) payment model. The new variant presents challenges for signature-based detections because they are based on the malware's behavior when it is executed in a sandbox environment. The researchers have emphasized that malware written in C and malware written in Rust will behave differently in a sandbox environment, forcing researchers to make adjustments in order to see all C2 communications. Researchers found RustyBuer and the previous variant of Buer written in C being distributed in early April. They were observed being delivered in a series of spear-phishing emails and have targeted more than 200 organizations across over 50 verticals so far. These emails appear to be shipping notices from DHL Support, an international courier and package delivery company. They claim to contain international information about a shipping order and ask victims to download a file. The attached malicious Microsoft Word or Excel documents drop the malware variant using macros once clicked. The macros leverage an Application Bypass to dodge detection by endpoint security mechanisms. This article continues to discuss the emergence of a new Rust-based Buer malware variant and the history of the Buer malware downloader.