Buer is a Malware Loader offered as malware-as-a-service on underground forums and often employed as a first-stage downloader in delivering additional payloads, with initial compromise of target systems allowing the attacker to establish a remote access to further their malicious activity.

According to Proofpoint researchers, there is a new variant of the Buer malware loader which is distributed via emails masquerading as shipping notices starting in early April. While Buer was first observed in 2019, several malware operators including those behind Ryuk ransomware were found to be using the Buer malware dropper as an initial access vector against unnamed victims.

The ongoing phishing campaign by the Rusted-based Beur, dubbed "RustyBuer" is propagated via emails masquerading as shipping notices from DHL Support, and it's believed to have affected more than 200 organizations across over 50 verticals since early April.

How the Rust-based variant of Buer Malware Loader is more evasive?

The researchers observed a series of malicious campaigns that delivered the Buer malware loader, which campaigns generally used DHL-themed phishing emails to distribute malicious Word or Excel documents. The campaigns distributed two variants of the Buer malware: one written in C and the other rewritten in the Rust programming language.

The new variant written in Rust is dubbed RustyBuer, as Rust is an efficient and easy-to-use programming language that's becoming increasingly popular, it enables the threat actor to better evade existing Buer detection capabilities.

The RustyBuer campaigns were observed delivering Cobalt Strike Beacon as a second-stage payload in some campaigns and the threat actors may have also established a foothold with the Buer loader to sell access to other threat actors, known as “access-as-a-service.”

Why Cybercriminals are increasingly paying attention to Rust programming language?

Rust is a programming language that is similar to the C++ language, but provides better memory safety which ensures higher performance.

RustyBuer is perhaps the latest in a series of efforts by cybercriminals to add extra layer of opacity, by employing the versatile language in the hope that it will enable the attackers to evade most security defenses. Also, the rewritten malware in Rust could enable the threat actor to evade already existing Buer detection techniques tied to the features of the old malware written in C.

Albeit, the malware authors programmed RustyBuer in a way that it still maintains compatibility with all the existing Buer backend C2 servers.

Rust-based variant of Buer Malware Loader gets more evasive

Microsoft has released a preview of Azure Web PubSub, a service based on its Azure Cloud for building real-time web applications using WebSocket, which will enable developers to focus on application logic for real-time connected experience.

While WebSocket is a standardized protocol which offers full-duplex communication and serves as a key to building efficient real-time web interactions, and supported by all the major browsers as well as Web servers. Azure Web PubSub will enable developers to use WebSockets and the publish-subscribe pattern to build real-time web applications, including live real-time location on maps, monitoring dashboards, cross-platform live chat, and many more.

Also, Azure Web PubSub comes integrated with Azure Functions which is best for building serverless applications in Python, C#, JavaScript, and Java; while developers can also use the Azure Functions to process location data and use Azure Web PubSub to broadcast the location data to dashboard clients or visualize real-time location information.

How Azure Web PubSub will enable developers to use WebSockets and a publish-subscribe pattern?

The implementation of a WebSocket-based real-time experience demands that a developer would first have to set up infrastructure for handling client connections, and ensure the setup would be able to meet business SLA requirements by establishing mechanisms to scale it on demand. And this infrastructure management tasks leaves a developer no time to focus on end-user experiences, which Azure Web PubSub service wants to solve this infrastructure challenge issue.

Azure Web PubSub service offers built-in support for large-scale client connections with highly available architectures so that developers can focus on the application logic that delivers real-time connected experiences.

Additionally, the service supports a wide variety of programming languages such as C#, Python, and Java through WebSocket APIs, which gives developers the flexibility to build real-time cross-platform applications, and also to easily migrate their existing WebSocket-based applications. Besides the native WebSocket support, it also offers the json.webpubsub.azure.v1 subprotocol, which enables clients to do publish-subscribe effectively without routing data between service and backend server code.

How to Get Started with Azure Web PubSub?

The Azure Web PubSub service is currently available as a developer preview, therefore to get started with Azure Web PubSub, developers should go to docs.microsoft.com and to learn more about the service, visit the Azure Web PubSub service page, or check out the preview documentation.

However, you'll need a free Azure account and follow this Quickstart using the free tier or standard tier of Azure Web PubSub. The free tier is designed for dev/test so that you can easily get started with one unit and create applications with up to 20 connections per unit and 20,000 messages per unit per day. Also, check out some code samples here that showcases real-time apps you can build with the service.

Azure Web PubSub: Build real-time Web applications using WebSocket

The Azure Defender for IoT security research group, known as Microsoft’s Section 52, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices which could be exploited to bypass security controls to execute malicious code.

While the flaws are collectively called "BadAlloc" as the vulnerabilities stem from usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and many more. The vulnerabilities cover more than 25 CVEs and affects a wide range of critical domains, ranging from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems.

BadAlloc is rooted in memory allocation functions spanning widely used C standard library (libc) implementations, real-time operating systems (RTOS), and embedded software development kits (SDKs).

How BadAlloc Flaws affects IoT and OT Devices?

Microsoft research shows that memory allocation implementations written as part of IoT devices and embedded software haven't incorporated proper input validations. And without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on target devices.

The vulnerabilities can be invoked by calling the memory allocation function, such as malloc(VALUE), with the VALUE parameter derived from external input dynamically and being large enough to trigger an integer overflow or wraparound.

And the successful exploitation of these vulnerabilities could result in unexpected scenarios such as a remote code execution or injection, or even system crash, as stated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a security advisory released on April 29, 2021.

How Organizations can secure their Systems from exploitation?

Though, there is no evidence of these vulnerabilities being exploited in the wild, but the availability of the patches could allow bad actors to use a technique known as "patch diffing" to reverse engineer the fixes to leverage on it to potentially weaponize any vulnerable versions of the software.

Therefore, CISA recommends that organizations should apply vendor updates as soon as possible, and set up firewall barriers, and isolate critical system networks from business network, to curtail exposure of control systems to ensure they remain inaccessible from the internet.

Microsoft warns on BadAlloc Flaws affecting a wide-range of IoT Devices