Expert Insight On Buer Malware Rewritten in Rust

BACKGROUND: 

Proofpoint Research has released findings of a new variant of the Buer malware loader distributed via emails masquerading as shipping notices. The new strain is rewritten in a coding language called Rust. Key findings include: malware written in Rust enables the threat actor to better evade existing Buer detection capabilities, as well as Proofpoint observing RustyBuer campaigns delivering Cobalt Strike Beacon as a second-stage payload in some campaigns. Saumitra Das of Blue Hexagon offers perspective.

Experts Comments

May 04, 2021
Saumitra Das
CTO and Co-founder
Blue Hexagon

Rust-based malware has been gaining popularity over the last few years. It is becoming more common as attackers try to evade improving detection systems. In fact, in the early days anything “Rust” like would cause Anti-Virus to flag a software as malicious since it was just becoming popular as a programming language. There are already open-source implementations of sample malware Ransomware (e.g. see https://github.com/cdong1012/Rust-Ransomware). The first takeaway is that to deal with these

.....Read More

Rust-based malware has been gaining popularity over the last few years. It is becoming more common as attackers try to evade improving detection systems. In fact, in the early days anything “Rust” like would cause Anti-Virus to flag a software as malicious since it was just becoming popular as a programming language. There are already open-source implementations of sample malware Ransomware (e.g. see https://github.com/cdong1012/Rust-Ransomware). The first takeaway is that to deal with these types of attacker variations you need AI to find mutated malware without having seen them before. The second takeaway is that these are all multistage attacks - they start from phishing documents with malicious macros or links to rust-based or other evasive malware, to a cobalt strike command and control. Network Detection and Response is the right technology to have visibility and threat defense across all these stages of the attack. This way even if one stage is really engineering to be undetectable, the attacker still has several other gates to pass through unnoticed which raises the bar.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.