This month has begun with shocking news since cybersecurity researchers have revealed a new malspam campaign. It discovered that the novel campaign is distributing a new variant of a malware loader named Buer. This disclosure of the Buer malware variant has brought a new challenge for cybersecurity experts to overcome yet another intimidating task. It also reveals the fact that how cybercriminals are continually sharpening their malware toolsets to thwart analysis.
The Method of Propagation of The New Buer Malware Variant
The information has surfaced that the Buer malware variant is getting propagated through emails pretending to be shipping notices from DHL Support (one of the leading logistics companies). They incorporated a link to a harmful Excel document or Microsoft Word download that used macros to drop the new Buer malware variant. Dubbed as RustyBuer, it has affected, so far, no less than 200 organizations across over 50 verticals since early April.
Buer paves the way for different sorts of malware that may include Cobalt Strike and ransomware strains. Besides, Proofpoint researchers think that attackers can use the loader to acquire traction into target networks. Attackers can also offer access to others as an “access-as-a-service” plan.
The Programming Language Employed in Developing the Buer Malware Variant
Essentially, it is a programming language called Rust that has helped develop this new Buer malware variant. Although it is an easy-to-use language, it is also efficient and on the queue of becoming increasingly popular. According to Proofpoint researchers who disclosed the new variant, rewriting the malware in Rust allows cybercriminals to prevent existing Buer detection capabilities. By the way, it is the C language that has come to use to write Buer.
History of Buer Malware
In August 2019, Buer came into the limelight. Fundamentally, it is a modular malware-as-a-service offering. It started selling on underground forums. To deliver additional payloads, it got used as a first-stage downloader. Thus, it paved the way to provide initial compromise of Windows systems of targets. For further harmful activity, it enabled the cybercriminal to set up a digital beachhead. In December 2019, a Proofpoint analysis marked Buer as a malware written entirely in C, utilizing a control panel created in .NET Core.
In September 2020, it got discovered that the operators behind Ryuk ransomware were employing the Buer malware. They were using it in a spam campaign as an initial access vector aimed against an unnamed victim. After that, a phishing attack exposed in February 2021 utilized receipt-themed enticements to induce users to open Microsoft Excel files. The documents included malicious macros that transfer and execute the Buer dropper on the tainted system.
In a series of efforts directed at inserting an additional layer of opacity, RustyBuer is the latest one. It is a recent phenomenon that cybercriminals pay increased attention to new programming languages to enable the attack code to evade security defenses.
Conclusion
The new Buer malware variant suggests cybercriminals continue to revise their payloads to escape detection despite existing since 2019. The attack chain turns more effective in obtaining access when a threat actor exploits RustyBuer to legitimize its lures.
Along these lines, contact us any time you need services, including incident response, penetration testing, digital forensics, ransomware mitigation, and cyber resiliency.
References
Cybersecurity researchers spotted a new malware variant
Discovery of a new variant of Buer written in Rust language
Detection curbed through a new variant of Buer
