A Rust-based Buer Malware Variant Has Been Spotted in the Wild

A Rust-based Buer Malware Variant Has Been Spotted in the Wild

This month has begun with shocking news since cybersecurity researchers have revealed a new malspam campaign. It discovered that the novel campaign is distributing a new variant of a malware loader named Buer. This disclosure of the Buer malware variant has brought a new challenge for cybersecurity experts to overcome yet another intimidating task. It also reveals the fact that how cybercriminals are continually sharpening their malware toolsets to thwart analysis.


LIFARS is a reliable elite digital security solutions company, and we provide the latest security, digital forensics, and advisory services.


The Method of Propagation of The New Buer Malware Variant

The information has surfaced that the Buer malware variant is getting propagated through emails pretending to be shipping notices from DHL Support (one of the leading logistics companies). They incorporated a link to a harmful Excel document or Microsoft Word download that used macros to drop the new Buer malware variant. Dubbed as RustyBuer, it has affected, so far, no less than 200 organizations across over 50 verticals since early April.

Buer paves the way for different sorts of malware that may include Cobalt Strike and ransomware strains. Besides, Proofpoint researchers think that attackers can use the loader to acquire traction into target networks. Attackers can also offer access to others as an “access-as-a-service” plan.

The Programming Language Employed in Developing the Buer Malware Variant

Essentially, it is a programming language called Rust that has helped develop this new Buer malware variant. Although it is an easy-to-use language, it is also efficient and on the queue of becoming increasingly popular. According to Proofpoint researchers who disclosed the new variant, rewriting the malware in Rust allows cybercriminals to prevent existing Buer detection capabilities. By the way, it is the C language that has come to use to write Buer.

History of Buer Malware

In August 2019, Buer came into the limelight. Fundamentally, it is a modular malware-as-a-service offering. It started selling on underground forums. To deliver additional payloads, it got used as a first-stage downloader. Thus, it paved the way to provide initial compromise of Windows systems of targets. For further harmful activity, it enabled the cybercriminal to set up a digital beachhead. In December 2019, a Proofpoint analysis marked Buer as a malware written entirely in C, utilizing a control panel created in .NET Core.

In September 2020, it got discovered that the operators behind Ryuk ransomware were employing the Buer malware. They were using it in a spam campaign as an initial access vector aimed against an unnamed victim. After that, a phishing attack exposed in February 2021 utilized receipt-themed enticements to induce users to open Microsoft Excel files. The documents included malicious macros that transfer and execute the Buer dropper on the tainted system.

In a series of efforts directed at inserting an additional layer of opacity, RustyBuer is the latest one. It is a recent phenomenon that cybercriminals pay increased attention to new programming languages to enable the attack code to evade security defenses.


The new Buer malware variant suggests cybercriminals continue to revise their payloads to escape detection despite existing since 2019. The attack chain turns more effective in obtaining access when a threat actor exploits RustyBuer to legitimize its lures.

Along these lines, contact us any time you need services, including incident response, penetration testing, digital forensics, ransomware mitigation, and cyber resiliency.




Cybersecurity researchers spotted a new malware variant

Discovery of a new variant of Buer written in Rust language

Detection curbed through a new variant of Buer