Spam emails disguised as DHL Support shipping notices are being used to spread a new variant of the Buer malware. The variant, dubbed RustyBuer, is updated and rewritten with a fresh code in Rust language. In addition, the variant appears to be in the process of renting services to other cybercrooks.
What has happened?
According to Proofpoint researchers, malicious emails come in two themes. The first is written in the C programming language, while the other is written in Rust, which is a tactical shift to get more clicks and avoid past detection.
- Attackers are sending DHL-themed and boobytrapped emails to recipients, and whoever clicks on the malicious Microsoft Excel or Word attachment will be infected with the malware.
- RustyBuer is the first-stage downloader with nasty second-stage delivery. In some cases, Proofpoint has observed phishing campaigns delivering a commodity Cobalt Strike beacon.
- In some campaigns, the attackers did not drop any second-stage payload because they could be setting up the new variant for renting purposes, which is known as the access-as-a-service model.
Previous use of Buer
Buer was first promoted at an underground forum in August 2019, and since then, it has been actively used by various threat actors.
- In February, phishing emails containing malicious macros were downloading the Buer dropper on infected systems.
- Last year, the Ryuk ransomware gang was found to be using Buer as an initial access vector.
Conclusion
Rewritten malware and email lures appear to be effective ways to make malware more dangerous. In a similar vein, the recent update in Buer will help attackers evade detection and increase successful click rates. Therefore, organizations should always use up-to-date anti-malware solutions and email gateways.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_311303981.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5eda_shutterstock_1451291537.jpg)
