Buer is a modular malware-as-a-service offering that’s sold on underground forums and used as a first-stage downloader to deliver additional payloads, providing initial compromise of targets’ Windows systems and allowing the attacker to establish a “digital beachhead” for further malicious activity.
A new malspam campaign distributing a fresh variant of a malware loader called ‘Buer’ written in Rust, illustrating how adversaries are constantly honing their malware toolsets to evade analysis dubbed “Rusty Buer”
Buer Loader initial POST request
The new maldoc campaign that delivered the Buer malware loader follows a similar modus operandi, using DHL-themed phishing emails to distribute weaponized Word or Excel documents that drop the Rust variant of Buer loader. The “unusual” departure from the C programming language means Buer is now capable of circumventing detections that are based on features of the malware written in C.
The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates.
Buer acts as a first-stage loader for other kinds of malware, including Cobalt Strike and ransomware strains in a access-as-a-service scheme.
RustyBuer is the latest in a series of efforts aimed at adding an extra layer of opacity, as cybercriminals are paying increased attention to new programming languages in hopes that doing so will enable the attack code to slip past security defenses.
When paired with the attempts by threat actors leveraging RustyBuer to further legitimize their lures, it is possible the attack chain may be more effective in obtaining access and persistence.