Developers of the malicious downloader Buer have taken the unusual step of rewriting the malware in a lesser-known Rust programming language, presumably to avoid detection while also potentially slowing down investigative analysis.
While it’s fairly common to find malware written in C, C+, Python and Java, threat actors have also been known to experiment with more obscure languages as a means to stay ahead of detection and forensics. But “it is unusual to see common malware written in a completely different way,” according to a blog post this week from Proofpoint.
Buer is traditionally written in C language and is often used to deliver second-stage payloads, especially Cobalt Strike and its Beacon feature, which can help pave the way for a ransomware attack. Buer can theoretically also be used by initial access brokers to compromise systems and then sell their foothold on the black market.
Proofpoint researchers have named the newly rewritten variant RustyBuer after discovering phishing campaigns attempting to distribute the Rust version of the malware to more than 200 organizations, via emails purporting to be from DHL Support. The phishing emails contained a link to a downloadable Word or Excel document enabled by malicious macros.
In the blog post, Proofpoint calls Rust – developed by Mozilla Research – “an efficient and easy-to-use programming language that is becoming increasingly popular.” Researchers believe the developers may have switched programming languages to enable a “broader feature set” and also to “evade existing Buer detections that are based on features of the malware written in C.”
Other experts agree – and we’ve seen this trend before.
“During the past few years we have noticed that malware authors are adopting newer coding languages at a more rapid pace,” said Jerome Segura, director of threat intelligence at Malwarebytes. “The first one that quickly gained popularity was Golang or Go, used by many different threat actors and for a wide array of malware families, including ransomware. As a developer, Go provides a number of advantages such as cross-platform compilation – write once, deploy on multiple OSes – and is also not as well known among reverse engineers.”
“A full rewrite of Buer Loader in the Rust language is no small amount of work,” added Segura, agreeing that a key motive is evading detection. “By choosing Rust, the malware authors are giving criminals who use this Buer loader variant an increased chance at flying under the radar and deploying the payload of their choice. That, in itself, can be one of the key differentiators with other competing loaders on the market.”
And that’s not the only benefit.
Nikko Tamaña, threat analyst at Trend Micro, told SC Media that malware written in uncommonly used languages could pose challenges to attempts at investigative analysis – at least at first until security professionals adjust to new quirks, such as “the difference in syntax and function calling conventions.”
“The degree of difficulty would be influenced by how ‘detached’ the programming language is to the most popularly used ones,” Tamaña explained.
The attackers also don’t lose any key functionalities by switching to Rust. For instance, like Golang and C, Rust supports multiple OS platforms and thus targets not just Windows, but Linux, said Tamaña. And Rust features secure memory management, which “creates a lower chance that the exploit will fail due to memory mismanagement without the trade-off of performance. Other programming languages use a garbage collector to clean unused memory spaces automatically, but that trades off some performance.”
“Since Rust has secure memory management, is cross-platform, and is usually used for system programming – meaning it allows computer hardware to interface with programmer and user – it might be a good programming language for small systems or systems with hardware limitations such as IoT,” Tamaña concluded.
A more detailed write-up and analysis of the new Buer variant is available in the Proofpoint blog post report.