- Aug 17, 2014
Cybersecurity researchers on Monday disclosed a new malspam campaign distributing a fresh variant of a malware loader called 'Buer' written in Rust, illustrating how adversaries are constantly honing their malware toolsets to evade analysis.
Dubbed "RustyBuer," the malware is distributed via emails masquerading as shipping notices from DHL Support, and is said to have affected no fewer than 200 organizations across more than 50 verticals since early April.
"The new Buer variant is written in Rust, an efficient and easy-to-use programming language that is becoming increasingly popular," Proofpoint researchers said in a report shared with The Hacker News. "Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities."
The new maldoc campaign that delivered the Buer malware loader follows a similar modus operandi, using DHL-themed phishing emails to distribute weaponized Word or Excel documents that drop the Rust variant of Buer loader. The "unusual" departure from the C programming language means Buer is now capable of circumventing detections that are based on features of the malware written in C.
"The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates," the researchers said.