The threat level continues to be high. Phishing emails claiming to be from a delivery company are used to spread a new version of a form of malware used to spread ransomware and other types of cyber attacks.
The Buer malware first appeared in 2019. It is used by cybercriminals to break into networks that they can exploit themselves, or to sell this access to other attackers in order to deliver their own campaigns. malware, particularly through ransomware attacks. However, Proofpoint cybersecurity researchers have discovered a new variant of Buer, written in a completely different coding language than the original malware.
This is an unusual methodology. It is indeed unusual for malware to be completely modified in this way to allow new campaigns to go undetected during attacks on Windows systems. The original Buer was written in the C programming language, while the new variant is written in the Rust programming language – which led researchers to name the new variant RustyBuer. “Rewriting the malware in Rust allows the threat actor to better evade Buer’s existing detection capabilities,” Proofpoint teams say.
A language above all suspicion?
RustyBuer is typically delivered through phishing emails designed to resemble those from the delivery company DHL, asking the user to upload a Microsoft Word or Excel document that purports to provide information about a scheduled delivery.
Delivery does not exist, of course, but cybercriminals are playing on the explosion of online shopping with the health crisis. Messages claiming to be from delivery companies have therefore become a common ruse to trick people into opening malicious messages and downloading dangerous files.
In this case, the malicious document asks users to enable macros – asking them to enable editing – in order for the malware to run. The bogus delivery notice claims the user should do so because the document is “protected” – it even uses the logos of several antivirus vendors in order to make the victim feel like it is legitimate. If macros are enabled, the RustyBuer is delivered to the system, giving attackers a backdoor into the network and the ability to compromise victims with other attacks, including ransomware.
Cyber attack 2.0
The new version of the malware, combined with improvements to email decoys, suggests that the authors of Beur are working hard to make their product as effective as possible, by providing those they sell it to on underground forums a way to themselves compromising networks, as well as selling others access to infected machines.
“The rewrite of the malware and the use of new baits that attempt to appear more legitimate suggests that threat actors who exploit RustyBuer are evolving their techniques in multiple ways to evade detection and attempt to increase click-through rates. “, say the researchers at Proofpoint in a blog post. “Based on the frequency of RustyBuer campaigns observed by Proofpoint, the researchers predict that we will continue to see this new variant in the future,” they added.
One way for businesses to prevent Buer, RustyBuer, and other forms of malware from running from phishing emails is to disable macros in Microsoft Office products for users who do not have them. no need.