This malware has been rewritten in the Rust programming language to make it harder to spot
Phishing emails claiming to be from a delivery company are being used to deliver a new version of a form of malware which is used to deliver ransomware and other cyber attacks.
Buer malware first emerged in 2019 and is used by cyber criminals to gain a foothold on networks which they can exploit themselves, or to sell that access on to other attackers to deliver their own malware campaigns, most notably, ransomware attacks.
Now cybersecurity researchers at Proofpoint have uncovered a new variant of Buer which is written in an entirely different coding language to the original malware. It’s unusual for malware to be completely changed in this way, but it helps the new campaigns remain undetected in attacks against Windows systems.
The original Buer was written in C programming language, while the new variant is written in Rust programming language – leading researchers to name the new variant RustyBuer. “Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities,” said Proofpoint.
RustyBuer is commonly delivered via phishing emails designed to look as if they come from delivery company DHL, asking the user to download a Microsoft Word or Excel document which supposedly details information about a scheduled delivery.
SEE: Network security policy (TechRepublic Premium)
The delivery is in fact fake, but cyber criminals know that the Covid-19 pandemic has resulted in more people ordering more items online, so messages claiming to be from delivery companies have become a common trick to lure people into opening malicious messages and downloading harmful files.
In this instance, the malicious document asks users to enable macros – by asking them to enable editing – in order to allow the malware to run. The fake delivery notice claims that the user needs to do this because the document is ‘protected’ – even using the logos of several anti-virus providers in an effort to look more legitimate to the victim.
If macros are enabled, the RustyBuer is delivered to the system, providing the attackers with a backdoor into the network and the ability to compromise victims with other attacks, including ransomware.
The new version of the malware, combined with improvements to email lures suggest that the authors of Beur are hard at work to make their product as effective as possible, providing those they sell it to on underground forums with both a means of compromising networks themselves, as well as selling on access to infected machines to others.
“The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates,” Proofpoint researchers wrote in a blog post.
“Based on the frequency of RustyBuer campaigns observed by Proofpoint, researchers anticipate we will continue to see the new variant in the future,” they added.
One way organisations can help prevent Buer, RustyBuer and other forms of malware from being able to be run from phishing emails is to disable macros in Microsoft Office products for users who don’t need them.
MORE ON CYBERSECURITY
