The Buer malware first emerged in 2019, and is used by threat actors to install a backdoor that can then be used to deliver other malware including ransomware.
The researchers from Proofpoint, who discovered the new variant written in Rust, have named it RustyBuer.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
- We've assembled a list of the best endpoint protection software
- These are the best firewalls on the market
- Also check out our roundup of the best disaster recovery services
“When paired with the attempts by threat actors leveraging RustyBuer to further legitimize their lures, it is possible the attack chain may be more effective in obtaining access and persistence,” the researchers say.
Delivered via email
The researchers latched onto a campaign that delivered RustyBuer via phishing emails supposedly from the DHL delivery company. As usual, the email asks users to download a Microsoft Word or Excel document in order to view details about their scheduled delivery.
Once downloaded, the document claims it is protected and asks users to enable editing, which is all it needs to unleash RustyBuer, which is embedded as a macro in the document.
The malware then establishes a persistent connection by using a shortcut file that runs at startup, which provides the attackers with a permanent backdoor into the computer.
Based on the frequency of RustyBuer campaigns that Proofpoint has observed, the researchers anticipate they’ll continue to see the new variant in the future.
- Protect your devices with these best antivirus software