Security News > 2021 > May > New Variant of Buer Malware Loader Written in Rust to Evade Detection
A new variant of the Buer malware loader has been detected, written in Rust.
The most likely reason for the development of a Rust variant is to evade anti-malware detections that are based on features of the malware written in C. In the associated campaigns detected by Proofpoint, the malware is distributed by DHL-themed phishing emails and is used to deliver malicious Word or Excel documents.
As with the original Buer variant, it contains various options on how to download and execute a payload. Combining Buer/RustyBuer's access-as-a-service with malware-as-a-service means that criminals with little technical expertise can now deliver sophisticated malware - including ransomware - to targets of their choice.
Commenting on the Proofpoint findings, CTO and cofounder of Blue Hexagon Saumitra Das, said, "Rust-based malware has been gaining popularity over the last few years. It is becoming more common as attackers try to evade improving detection systems." He added, "There are already open-source implementations of sample malware Ransomware," giving the example of Rust-Ransomware on GitHub.
" It adds, "RustyBuer and the original Buer loader have been observed as a first-stage loader for additional payloads including Cobalt Strike and multiple ransomware strains, as well as possibly providing victim access to other threat actors in the underground marketplace.
The key takeaway for defenders is that old malware compiled in a new or different language will effectively be undetectable zero-day malware to signature-based detection systems until such time as the vendors find and analyze the malware and add a new signature to their detection engine.