According to Proofpoint researchers, there is a new variant of the Buer malware loader which is distributed via emails masquerading as shipping notices starting in early April. While Buer was first observed in 2019, several malware operators including those behind Ryuk ransomware were found to be using the Buer malware dropper as an initial access vector against unnamed victims.
The ongoing phishing campaign by the Rusted-based Beur, dubbed "RustyBuer" is propagated via emails masquerading as shipping notices from DHL Support, and it's believed to have affected more than 200 organizations across over 50 verticals since early April.
How the Rust-based variant of Buer Malware Loader is more evasive?
The researchers observed a series of malicious campaigns that delivered the Buer malware loader, which campaigns generally used DHL-themed phishing emails to distribute malicious Word or Excel documents. The campaigns distributed two variants of the Buer malware: one written in C and the other rewritten in the Rust programming language.
The new variant written in Rust is dubbed RustyBuer, as Rust is an efficient and easy-to-use programming language that's becoming increasingly popular, it enables the threat actor to better evade existing Buer detection capabilities.
The RustyBuer campaigns were observed delivering Cobalt Strike Beacon as a second-stage payload in some campaigns and the threat actors may have also established a foothold with the Buer loader to sell access to other threat actors, known as “access-as-a-service.”
Why Cybercriminals are increasingly paying attention to Rust programming language?
Rust is a programming language that is similar to the C++ language, but provides better memory safety which ensures higher performance.
RustyBuer is perhaps the latest in a series of efforts by cybercriminals to add extra layer of opacity, by employing the versatile language in the hope that it will enable the attackers to evade most security defenses. Also, the rewritten malware in Rust could enable the threat actor to evade already existing Buer detection techniques tied to the features of the old malware written in C.
Albeit, the malware authors programmed RustyBuer in a way that it still maintains compatibility with all the existing Buer backend C2 servers.