Proofpoint Research has released findings of a new variant of the Buer malware loader distributed via emails masquerading as shipping notices. The new strain is rewritten in a coding language called Rust. Key findings include: malware written in Rust enables the threat actor to better evade existing Buer detection capabilities, as well as Proofpoint observing RustyBuer campaigns delivering Cobalt Strike Beacon as a second-stage payload in some campaigns. Saumitra Das of Blue Hexagon offers perspective.
<p>Rust-based malware has been gaining popularity over the last few years. It is becoming more common as attackers try to evade improving detection systems. In fact, in the early days anything “Rust” like would cause Anti-Virus to flag a software as malicious since it was just becoming popular as a programming language. There are already open-source implementations of sample malware Ransomware (e.g. see <a href=\"https://github.com/cdong1012/Rust-Ransomware\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://github.com/cdong1012/Rust-Ransomware&source=gmail&ust=1620215295850000&usg=AFQjCNHDLiv4TMQ3lMypYS17DEdPRFhymQ\">https://github.com/<wbr />cdong1012/Rust-Ransomware</a>). The first takeaway is that to deal with these types of attacker variations you need AI to find mutated malware without having seen them before. The second takeaway is that these are all multistage attacks – they start from phishing documents with malicious macros or links to rust-based or other evasive malware, to a cobalt strike command and control. Network Detection and Response is the right technology to have visibility and threat defense across all these stages of the attack. This way even if one stage is really engineering to be undetectable, the attacker still has several other gates to pass through unnoticed which raises the bar.</p>