Proofpoint researchers identified a new variant of the Buer malware loader distributed through emails disguised as shipping notices in early April. Buer is a downloader sold in underground markets that is used as a foothold in compromised networks to distribute other malware, including ransomware.
Using the increasingly popular, efficient and user-friendly Rust programming language will help malware bypass detection, Proofpoint researchers said in a post Monday morning. Manipulated emails come in two versions. One is written in the more typical C programming language. The other is written in Rust – a tactical change that will help you tiptoe past detection to get more clicks.
In the associated campaigns, the emails are supposed to come from DHL Support. They contained a link to the download of a malicious Microsoft Word or Excel document that used macros to remove the new malware variant. Proofpoint is calling this new variant RustyBuer. Emails affected more than 200 organizations in more than 50 verticals.
The first stage downloader has a nasty second stage delivery: In some cases, Proofpoint has seen phishing campaigns drop a Cobalt Strike beacon. Cobalt Strike is a legitimate penetration testing tool that has become a favorite among threat actors.
Security experts say the completely rewritten new variant of Rust is an unusual departure from the much more common preference of malware developers for the C programming language. It is unclear why threat actors took the time and effort to translate the code, but there are a few likely possibilities: First, Rust is more efficient, has more features, and is increasingly popular.
To reinforce the legitimacy of phishing emails containing this threat, malware authors have sprinkled them with logos of globally known official companies as in the following image that we will see which recipients must click on the macro of the document to start an infection.
Related topics:
Threats you face every day within E-mail
Macro Malware threats designed to fool the victims
