A Rust-based Buer Malware Variant Has Been Spotted in the Wild


Cybersecurity researchers on Monday disclosed a new malspam campaign distributing a fresh variant of a malware loader called ‘Buer’ written in Rust, illustrating how adversaries are constantly honing their malware toolsets to evade analysis.

Dubbed “RustyBuer,” the malware is distributed via emails masquerading as shipping notices from DHL Support, and is said to have affected no fewer than 200 organizations across more than 50 verticals since early April.

“The new Buer variant is written in Rust, an efficient and easy-to-use programming language that is becoming increasingly popular,” Proofpoint researchers said in a report shared with The Hacker News. “Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities.”

password auditor

First introduced in August of 2019, Buer is a modular malware-as-a-service offering that’s sold on underground forums and used as a first-stage downloader to deliver additional payloads, providing initial compromise of targets’ Windows systems and allowing the attacker to establish a “digital beachhead” for further malicious activity. A Proofpoint analysis in December 2019 characterized Buer as a malware coded entirely in C, using a control panel written in .NET Core.

In September 2020, the operators behind the Ryuk ransomware were found using the Buer malware dropper as an initial access vector as part of a spam campaign. Then a phishing attack uncovered in February 2021 employed invoice-themed lures to entice users into opening Microsoft Excel documents that contain malicious macros, which download and execute the Buer dropper on the infected system.

Buer Loader initial POST request

The new maldoc campaign that delivered the Buer malware loader follows a similar modus operandi, using DHL-themed phishing emails to distribute weaponized Word or Excel documents that drop the Rust variant of Buer loader. The “unusual” departure from the C programming language means Buer is now capable of circumventing detections that are based on features of the malware written in C.

“The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates,” the researchers said.

Given the fact that Buer acts as a first-stage loader for other kinds of malware, including Cobalt Strike and ransomware strains, Proofpoint researchers estimate that cyber attackers may be using the loader to gain a foothold into target networks and sell the access to other actors in what’s an “access-as-a-service” scheme.

RustyBuer is the latest in a series of efforts aimed at adding an extra layer of opacity, as cybercriminals are paying increased attention to new programming languages in hopes that doing so will enable the attack code to slip past security defenses. Earlier this year, a malware called “NimzaLoader” was identified as written in Nim programming language, followed by a macOS adware named “Convuster” that was based on Rust.

“When paired with the attempts by threat actors leveraging RustyBuer to further legitimize their lures, it is possible the attack chain may be more effective in obtaining access and persistence,” the researchers concluded.