Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use Buer malware rewritten by Rust". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to use Buer malware rewritten by Rust".

Recently, researchers found that a variant of Buer malware, which was rewritten in the Ruth language, was distributed disguised as a DHL mailing notice.

Profpoint researchers say the efficient and easy-to-use Rust language helps malware evade detection. A total of two types of malware have been found, one written in C and the other in Ruth, which can help malware infect more victims before it is discovered.

Buer is a Downloader that acts as a "guide" to other malware. According to the research of Proofpoint, Downloader has become more and more powerful in the past two years, and its functions and configurations have become more and more advanced.

Proofpoint first discovered Buer in 2019 and recently discovered a new variant with the theme of DHL mailing notifications.

When a victim clicks on a malicious attachment (Word/Excel), it triggers a Buer variant written by Rust. The researchers named it RustyBuer, and according to Proofpoint's research, the malware has infected more than 200 organizations in more than 50 industries.

As a Downloader, the researchers found that Cobalt Strike might be released later. In some cases, the load of the subsequent stage does not exist. It may be because malware developers are testing new variants to lease them to other attackers.

Multilingual malware

Malware rewritten with Rust is not the same as the traditional habit of writing malware in C, and it is not clear why attackers spend so much effort rewriting it. The researchers speculate that it may be because Rust is more efficient and supports more and more features.

Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, believes that functional modifications to malware are common, but it is rare to choose to rewrite them entirely in another language. In general, malware adds new features or improves the ability to detect evasion through version iterations, and a complete switch to a new language is a new way.

Another benefit of rewriting is that it poses great challenges to reverse engineering, making it difficult for engineers with no Rust development experience to analyze. Researchers at Proofpoint expect to see constantly updated versions of Buer for Rust. As in the past, attackers will use all available resources to develop malware.

Application of Rust

Rust is becoming more and more popular in the industry. Microsoft joined the Rust Foundation in February and is increasingly using the Ruth language within Microsoft. In 2019, Alex Gaynor, a former director of the Python Software Foundation and the Django Software Foundation, said that memory-insecure languages like C and C++ introduce so many security vulnerabilities that the industry needs to migrate to memory-secure languages such as Rust and Swift.

The operators of Buer must be developing attack techniques in a variety of ways to improve the ability of detection and escape and improve the success rate of attacks. Proofpoint says malware rewritten with Rust allows malware to evade malware detection features written based on C #.

In order to be compatible with the C version of malware, the way Rust rewritten malware communicates with Cobb C servers remains the same.

Do not click

The attacker used some security company icons in the document to show that the document was secure and entice the user to open it.

Malicious documents are executed through LOLBAS's Windows Shell DLL to evade endpoint security detection.

Reference source

Proofpoint

ThreatPOST

Thank you for your reading, the above is the content of "how to use Buer malware rewritten by Rust". After the study of this article, I believe you have a deeper understanding of how to use Buer malware rewritten by Rust, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.