A variant of the Buer malware, which is being distributed in emails disguised as DHL support shipping notices, comes with a fresh code rewrite in the popular Rust language and looks like it may be in the process of prepping for rental to other cybercrooks.
Using the increasingly popular, efficient and easy-to-use Rust programming language will help the malware to slip past detection, Proofpoint researchers said in a post on Monday morning. The rigged emails are coming in two flavors. One is written in the more typical C programming language. The other’s written in Rust: a tactical shift that will help it tiptoe past detection in order to get more clicks.
Buer is what’s known as a first-stage downloader: a chunk of malware sold on the underground that threat actors use to get a foothold into compromised networks. These attack tools install other types of malware during and after phishing campaigns. Proofpoint research shows that these downloaders have become increasingly beefy over the past two years, boasting ever-more advanced profiling and targeting capabilities.
Proofpoint first came across Buer in 2019, and its researchers spotted the new variant in early April. This is what the DHL-themed, boobytrapped email looks like:
Any unfortunates who click on the malicious Microsoft Word or Excel attachment will trigger a drop of the new, Rust-written Buer variant, which researchers are calling RustyBuer. It’s cutting a wide path across the internet: More than 200 organizations across more than 50 verticals have been hit by the campaign, Proofpoint says.
The first-stage downloader has a nasty second-stage delivery: In some instances, Proofpoint has seen the phishing campaigns drop a commodity Cobalt Strike beacon. Cobalt Strike is a legitimate penetration-testing tool that’s become a favorite among threat actors.
But not all the time. In some campaigns, the attackers left out any second-stage payload. From what researchers can determine, that could be because the malware’s authors are setting up the new variant to lease out to other threat actors in the access-as-a-service model in underground marketplaces: a distribution service that’s already been used to profit off of Buer.
Multilingual Malware: Not-So-Good News
Researchers say that the new, completely rewritten Rust variant is an unusual departure from malware developers’ far more common preference of the C programming language. It’s not clear why the threat actors took the time and effort to translate the code, but there are a few likely possibilities: First, Rust is more efficient, has more features, and is increasingly popular.
Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Threatpost in an email on Monday that malware code tweaking is common, while a total rewrite is less so. “Malware authors, like software programmers, will choose a programming language that supports their requirements,” she said. “A complete change in language is rare but not unheard of. We typically see version increments adding features and evasion techniques, not a total switch to a new language. It’s a significant move on the part of the threat actor that is worth noting.”
Besides detection evasion, the rewrite offers another benefit: it potentially defeats reverse engineering, which can make detecting it tough for engineers that don’t have prior experience with Rust and defeating anti-detection measures. DeGrippo said that Threatpoint researchers anticipate seeing yet more versions of both Rust and C versions of Buer. As always, the threat actors will use whatever’s at hand to evolve the malware, she said.
For protection, implementation of a secure email gateway and network detections are a good place to start, DeGrippo said. After that, training comes in handy. “Blocking malicious email before it reaches a target and training users to identify and report suspicious emails is the first step in preventing exploitation of this threat,” DeGrippo said.
Who Else Is Getting Rusty?
Fellow Rust fans include Microsoft, which joined the Rust Foundation in February and is increasingly using the language in products. That’s notable, given that the company’s products are stuffed with C/C++. All that vitamin C isn’t good for us, apparently: In 2019, Alex Gaynor, a software resilience engineer and former director of the Python Software Foundation and the Django Software Foundation, argued that these “memory-unsafe” languages – i.e., C and C++ – introduce an unacceptable number of security vulnerabilities and that the industry as a whole needs to migrate to memory-safe languages like Rust and Swift by default.
Are the Buer downloader developers looking to memory-bug-proof their code? Proofpoint researchers theorize that it’s likely got more to do with slipping past detection. “The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates,” Proofpoint said in its advisory. “Rewriting the malware in Rust can enable the threat actor to evade existing Buer detections that are based on features of the malware written in C.”
Unfortunately, the rewritten variant should maintain compatibility with existing Buer backend command-and-control (C2) servers and panels, researchers say.
Don’t Click on the ‘Microsoft’-Labelled Pandora’s Box
To beef up the legitimacy of the phishing emails, the malware authors have sprinkled them with logos. Here’s an example, sporting Microsoft branding and logos from a handful of security companies.
Recipients need to click on the document’s macro in order to initiate an infection. After that the macro will run an application bypass (Windows Shell DLL via LOLBAS) to evade detection from endpoint security.
Wondering where the name came from? According to a Wikipedia entry (albeit, one that needs additional citations), it’s a spirit that popped up in the 16th-century grimoire Pseudomonarchia Daemonum. It’s described as a Great President of Hell, is depicted as a lion’s head surrounded by a circle of five legs so it can walk in any direction, and is supposed to command 50 legions of demons: a decent metaphor for malware that gets leased out to cybercriminals and has a penchant for picking up a new tongue.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!