RustyBuer Malware

Discovered by security researchers, RustyBuer is a new version of the Buer malware loader. The original threat was first observed back in 2019 when it was made available for purchase on underground hacker forums. Buer acts as an initial payload that establishes a foothold on the targeted system and proceeds to escalate the attack with the delivery of next-stage malware threats. The newer version retains the same functionality with the main differentiating factor being that it is written in the Rust programming language.

The recreation of existing malware threats using newer and less established programming languages is a relatively recent trend among cybercriminals. Doing so allows them to avoid signature-based anti-malware security solutions that can easily detect the original versions of the threats. At the same time, it reduces the time need to release the threat drastically, when compared to the alternative of having to build a brand new malware.

RustyBuer's Attack Chain

In the series of attacks involving the RustyBuer malware, the threat actors disseminated lure emails pretending to be coming from the international logistics company DHL. To add more legitimacy to the fake mails, the hackers included the logos of several cybersecurity providers. The text of the fake emails instructs the targeted victim to open the attached file, usually a weaponized Word or Excel document. The corrupted file contains a macro delivering the RustyBuer threat onto the system. To avoid detection from endpoint security solutions, the macro leverages an Application Bypass.

Once inside the victim's device, RustyBuer checks the environment for signs of virtualization. Afterward, it performs a geolocation check to determine whether the user is from a specific CIS (Commonwealth of Independent States) countries and if a match is found, the malware terminates its execution. RustyBuer also establishes a persistence mechanism via an LNK file that is initiated on every system boot.

Next-Stage Payloads

Analysis of the recent attack campaigns deploying RustyBuer revealed that the threat is mostly consistent with the behavior previously observed in Buer - the threat actors dropped a Cobalt Strike Beacon on the breached systems. Cobalt Strike is a legitimate penetration testing tool that is quite often exploited by threat actors who incorporate it in their threatening operations.

However, in some instances, after RustyBuer was established on the systems, the threat actors did not escalate the actor and no second-stage payloads were detected. The researchers believe that his a sign of the threat actors trying to operate an access-as-a-service scheme offering to sell the post-infection access to the systems to other cybercriminal groups.

It also should be noted that the existence of a list of restricted countries from the CIS region indicates that the operators of RustyBuer could potentially have ties to Russia.