The Buer malware first appeared in 2019 and is used by threat operators to install a backdoor that can then be used by other malware, including ransom program.
Researchers at Proofpoint, who discovered a new variant written in Rust, have named it RustyBuer.
We’ll look at how our readers use VPN in a future in-depth report. We would love to hear your views on the survey below. It won’t take more than 60 seconds of your time.
“Combined with companies from threat-actors who leverage RustyBuer to further legitimize their lure, it’s possible that the attack chain may be more effective at gaining access and persistence,” the researchers say.
Delivered by email
Investigators seized on a campaign that delivered RustyBuer via phishing emails, presumably from a DHL delivery company. As usual, email prompts users to download a Microsoft Word or Excel document so you can view their scheduled deliveries.
According to the uploaded document, it is protected and prompts users to apply the edit, which is all that is needed to release RustyBuer embedded in the document as a macro.
The malware then makes a continuous connection by using a running shortcut file on startup, which provides an attacker with a permanent backdoor to the computer.
Based on the frequency of RustyBuer campaigns observed by Proofpoint, the researchers anticipate that they will see a new variant in the future as well.