As a recent  Threat Report discussed, attackers are using novel programming languages in an attempt to evade detection. In this earlier case, researchers at Proofpoint  found NimzaLoader malware that utilizes Nim, a relatively new and obscure programming language. Recently, they found a new example of attackers attempting to evade detection, using Rust to develop a variant of Buer Loader, RustyBuer.

What Is RustyBuer?

In a new report, Proofpoint researchers have discovered a new variant of the Buer Loader downloader, written in the Rust language, which they have dubbed RustyBuer. Though Rust is significantly more common than Nim, with the first stable version being released in May 2015, it has not often been used to author malware.

The Buer Loader downloader was first released in late August 2019 and is often used by malware-as-a-service operators to download various trojans and ransomware. Buer was originally written in venerable programming language C. Due to the effort required, it is an uncommon step to see an existing malware variant completely rewritten in another language. We can assume the authors  believed the investment in this effort would be rewarded by improved detection evasion, rather than take this as a sign that Rust programming is becoming trendy.

The phishing campaigns delivering RustyBuer began in early April 2021 and were wide ranging, targeting over 200 organizations covering 50 industry verticals. These campaigns mainly used lures relating to DHL parcel deliveries; and included Microsoft Excel or Word documents containing malicious macros which dropped the RustyBuer malware. There were similar campaigns distributing the original C based Buer, however researchers found the social engineering components of the RustyBuer campaigns were more convincing, with an improved likelihood of succeeding. Once executed, RustyBuer uses a Windows shortcut file to ensure it will always be run at startup.

RustyBuer’s purpose is to compromise a host, obtain persistence and download additional malicious payloads. In some cases, these campaigns resulted in the downloading of a Cobalt Strike Beacon. As we have mentioned in previous Threat Reports, while Cobalt Strike is a legitimate tool used for penetration testing, it is frequently leveraged by attackers to create a backdoor on an infected system. Interestingly, it was found that some campaigns did not result in an additional payload. This suggests that in some cases, the operators may be using RustyBuer as an access-as-a-service offering, selling their foothold on infected systems to other malicious actors.

If malware authors see improved detection evasion by using new or less common programming languages to write or rewrite new malware variants, we will see this trend continue. Malicious actors will continue to adapt and change, if their efforts deliver value;  generating additional revenue. They will continue to employ this tactic, until it becomes necessary to alter their tactics once again.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The campaigns related to RustyBuer utilized phishing emails with Office document attachments, containing malicious macros, which dropped the RustyBuer malware.

When/How Did BluVector Detect It?

One sample of RustyBuer referenced by Proofpoint’s researchers is publicly available and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 36 months prior to its release.