Buer Makes a Comeback: Malware Rewritten in Rust to Avoid Detection

buer malware resurfaces - featured image.

A new version of Buer malware is circulating online, rewritten in the Rust programming language to make it more difficult to spot.

The original version of Buer was first detected in August 2019. It is a downloader sold on the dark web to gain access to networks and compromise them by distributing other types of malware and often ransomware.

Proofpoint researchers have discovered a new version of Buer coded in Rust instead of the previously used C programming language. The latest version, now known as RustyBuer, allows the malicious software to circumvent the existing Buer-detecting methods.

The cybercriminals behind this malware seem to have taken advantage of the increased online shopping activities due to the COVID-19 pandemic. As shipping confirmation emails have become a common occurrence, the distribution of RustyBuer is most commonly achieved through phishing emails made to look as if DHL sent them. The email usually includes an MS Excel or Word document said to contain information about the delivery.

To activate the malware, the malicious document attached in the email prompts the user to enable editing and macros. The phishing email would explain that it’s necessary to do so because the document is “protected.” The scam goes even further, with the email filled with logos of several antivirus providers to add to the message’s legitimacy.

The changes made to the malware indicate that the creators of Buer are working on improving their product and making it more efficient. They are most likely selling both the malware and access to compromised machines and networks.

“The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates,” wrote the Proofpoint research team in its post.

For now, the best advice for organizations would be to disable the use of macros wherever possible, educate their staff on phishing scams, and install the best and latest antivirus software.