This malware has been rewritten in the Rust programming language to make it harder to spot

Buer malware is back and it's written in a completely different coding language than it was before - but it's still being used to infect users to make them vulnerable to other cyberattacks.
Written by Danny Palmer, Senior Writer

Phishing emails claiming to be from a delivery company are being spread by crooks to push a new version of a form of malware that is used to distribute ransomware and other cyberattacks.

Buer malware first emerged in 2019 and is used by cyber criminals to gain a foothold on networks, which they can exploit themselves or sell that access on to other attackers to deliver their own malware campaigns, most notably, ransomware attacks.

Now cybersecurity researchers at Proofpoint have uncovered a new variant of Buer that is written in an entirely different coding language to the original malware. It's unusual for malware to be completely changed in this way, but it helps the new campaigns remain undetected in attacks against Windows systems.

SEE: Network security policy (TechRepublic Premium)

The original Buer was written in C programming language, while the new variant is written in Rust programming language – leading researchers to name the new variant RustyBuer. "Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities," said Proofpoint.

RustyBuer is commonly pushed via phishing emails designed to look as if they come from delivery company DHL, asking the user to download a Microsoft Word or Excel document that supposedly details information about a scheduled delivery.

The delivery is in fact fake, but cyber criminals know that the COVID-19 pandemic has resulted in people ordering more items online, so messages claiming to be from delivery companies have become a common trick to lure people into opening malicious messages and downloading harmful files.

In this instance, the malicious document asks users to enable macros – by asking them to enable editing – in order to allow the malware to run. The fake delivery notice claims that the user needs to do this because the document is 'protected' – even using the logos of several anti-virus providers in an effort to look more legitimate to the victim.

If macros are enabled, RustyBuer is delivered to the system, providing the attackers with a backdoor into the network and the ability to compromise victims with other attacks, including ransomware.

The new version of the malware, combined with improvements to email lures, suggest that the authors of Buer are hard at work to make their product as effective as possible, providing those they sell it to on underground forums with both a means of compromising networks themselves, as well as selling on access to infected machines to others.

SEE: Programming languages: JavaScript has most developers but Rust is the fastest growing

"The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates," Proofpoint researchers wrote in a blog post.

"Based on the frequency of RustyBuer campaigns observed by Proofpoint, researchers anticipate we will continue to see the new variant in the future," they added.

One way organisations can help prevent Buer, RustyBuer and other forms of malware from being able to be run from phishing emails is to disable macros in Microsoft Office products for users who don't need them.


Editorial standards