Cybercriminals behind the Buer malware loader are using a new variant, rewritten in the Rust programming language, as a way to sidestep detection and make their attack chain more effective, warn researchers.
The new variant of Buer, called RustyBuer, is “unusual” because malware is typically not rewritten in a completely different way, said researchers with Proofpoint on Monday. Overall, Rust is becoming increasingly popular as a programming language, as it is more efficient, easy to use and has a broader range of features than languages like C.
“Despite existing since 2019, the new variant of Buer loader malware suggests threat actors continue to modify their payloads in a likely attempt to evade detection,” said Kelsey Merriman, Bryan Campbell and Selena Larson, with Proofpoint. “When paired with the attempts by threat actors leveraging RustyBuer to further legitimize their lures, it is possible the attack chain may be more effective in obtaining access and persistence.”
Buer, first identified in August 2019, is a trojan downloader utilized to compromise systems and act as a foothold to deliver additional malicious payloads. The loader is sold to cybercriminals through a “malware-as-a-service” payment model.
The new variant poses challenges for signature-based detections that are based on how the malware behaves when executed in a sandbox environment, said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
“Malware written in C and malware written in Rust will behave differently in a sandbox environment,” said DeGrippo. “For example, RustyBuer uses its own TLS library. While the malware executed as expected, we had to make a few adjustments so that we could see all of the C2 communications.”
RustyBuer, along with the previous variant of Buer written in C, were found being distributed in early April, in a spate of spear-phishing emails that so far have targeted over 200 organizations across more than 50 verticals. These emails purport to be shipping notices from DHL Support, an international courier and package delivery company. They inform victims that they contain “international information” regarding a shipping order and ask them to download a file, named “Private File.”
Once clicked, the attached malicious Microsoft Word or Excel documents use macros to drop the malware variant. Of note, the macros leverage an Application Bypass (Windows Shell DLL via LOLBAS) to evade detection from endpoint security mechanisms, said researchers.
"Based on the frequency of RustyBuer campaigns... researchers anticipate we will continue to see the new variant in the future."
Researchers noted that this campaign has used differing lure techniques from previous attacks, with RustyBuer attachments containing more detailed content to better engage the recipient. For instance, the malicious Excel attachments distributing RustyBuer contain multiple security software brand logos, in an attempt to add legitimacy to the document.
Once RustyBuer is dropped, it establishes persistence by using a shortcut (.LNK) file to run at startup. Then, the loader distributes the Cobalt Strike Beacon as a second-stage payload. Cobalt Strike is a legitimate security tool utilized by penetration testers, which has become increasingly popular with cybercriminals. However, researchers noted, not all identified campaigns contained a second-stage payload. They believe that this stems from some cybercriminals operating as access-as-a-service providers; attempting to establish initial access in victim environments and then selling this access to other bad actors in underground marketplaces. Buer loader has previously been used in access-as-a-service campaigns, according to Sophos researchers.
Other than its lure and the programming language used, there are many similarities between RustyBuer and the original Buer loader. For instance, the command-and-control (C2) requests used by RustyBuer are nearly identical to the requests used in the latest version of Buer. Previous Buer campaigns have also deployed Cobalt Strike as a second-stage payload.
DeGrippo said that Rust is not commonly used by threat actors at this time - however, there are examples of Rust-based malware in public repositories, as well as malware reported by security firms such as the Convuster macOS adware. Programming languages go in and out of style based on ease of syntax, memory management and other factors, she said.
“Malware authors, like software programmers will choose a programming language that supports their requirements,” said DeGrippo. “As Rust becomes more popular for fulfilling those requirements, it will be used by both legitimate programmers and threat actors."
The Buer loader has previously been spotted as recently as February, when researchers with Infoblox uncovered a Buer campaign using invoice-themed lures to persuade victims to download and open Microsoft Excel (XLS) documents, which contained malicious macros and distributed the malware.
Looking ahead, researchers anticipate this activity will continue. “Based on the frequency of RustyBuer campaigns... researchers anticipate we will continue to see the new variant in the future,” they said.