Proofpoint Inc.

05/03/2021 | News release | Distributed by Public on 05/03/2021 07:13

New Variant of Buer Loader Written in Rust

Overview

Proofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping notices in early April. Buer is a downloader sold on underground marketplaces that is used as a foothold in compromised networks to distribute other malware, including ransomware. Proofpoint first observed Buer in 2019.

In the associated campaigns, the emails purported to be from DHL Support. They contained a link to a malicious Microsoft Word or Excel document download that used macros to drop the new malware variant. Proofpoint is calling this new variant RustyBuer. The emails impacted over 200 organizations across more than 50 verticals. The new strain is completely rewritten in a coding language called Rust, a departure from the previous C programming language. It is unusual to see common malware written in a completely different way.

Key Findings

  • The new Buer variant is written in Rust, an efficient and easy-to-use programming language that is becoming increasingly popular. Proofpoint is calling this variant RustyBuer.
  • Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities.
  • Proofpoint observed RustyBuer campaigns delivering Cobalt Strike Beacon as a second-stage payload in some campaigns.
  • Researchers assess some threat actors may be establishing a foothold with the Buer loader to then sell access to other threat actors. This is known as 'access-as-a-service.'

Campaign Details

Proofpoint analysts observed a series of malicious campaigns that delivered the Buer malware loader. The campaigns generally used DHL-themed phishing emails to distribute malicious Word or Excel documents. While sharing similar email lure themes, the campaigns distributed two distinct variants of the Buer malware: one was written in C while the other was rewritten in the Rust programming language. Proofpoint dubbed this variant RustyBuer. The campaigns also used different lure techniques, with RustyBuer attachments containing more detailed content to better engage the recipient.

The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates.

Figure 1: Emails masquerading as DHL shipping themes used to distribute RustyBuer and Buer loaders.

Figure 2: Malicious Excel attachment distributing RustyBuer containing multiple security software brand logos in an attempt to add legitimacy to the document.

RustyBuer was embedded directly into the document macro and required user interaction to initiate the infection. This macro leveraged an Application Bypass (Windows Shell DLL via LOLBAS) to evade detection from endpoint security mechanisms.

Example Script execution:

rundll32.exe shell32.dll,ShellExec_RunDLL C:\ProgramData\OfficeSignCheck.exe

Once RustyBuer is dropped, it establishes persistence by using a shortcut (.LNK) file which runs at startup.

All the identified campaigns used consistent naming conventions following the inclusion of 'Office' in the dropped executable. Both the Rust and C versions of the malware followed this same pattern including:

  1. OfficeVerifySign.exe (3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac)
  2. Office_WorkForWestBank.exe (423790a4a722f3549d1dfc1026fa627d829c6dd8c26546d45f2ca4b6d6626acb)
  3. OfficeReleaseFix.exe (b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209)
  4. OfficeConsultPlugin.exe (sha256:b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209)

Proofpoint researchers observed RustyBuer distributing Cobalt Strike Beacon as a second-stage payload in some instances, like previous Buer campaigns. Cobalt Strike is a legitimate security tool used by penetration testers to emulate adversary activity in a network that is becoming increasingly popular as a tool for threat actors.

However, not all identified campaigns contained a second-stage payload. Researchers assess this may be due to threat actors in some specific instances operating as access-as-a-service providers. These threat actors may be attempting to establish initial access in victim environments to then sell their access to other threat actors in underground marketplaces. Other security firms have documented this behavior from threat actors using Buer loader previously.

Malware Analysis

Proofpoint classified the new variant of Buer (RustyBuer) as a rewritten version in Rust based on present anti-analysis features, strings, and encoding and format of the command and control (C2) requests.

It is unclear why the threat actors took the time and effort to rewrite the malware in a new programming language, however Proofpoint researchers identify two likely reasons:

  1. Rust is an increasingly popular programming language that is more efficient and has a broader feature set than C. (Microsoft, for example, is increasingly using it in its products and joined the Rust Foundation in February 2021.)
  2. Rewriting the malware in Rust can enable the threat actor to evade existing Buer detections that are based on features of the malware written in C. The malware authors have programmed it in a way that it should maintain compatibility with existing Buer backend C2 servers and panels.

Figure 3: Example of select Rust dependencies

The following is a detailed analysis of the new variant.

Anti-analysis features

  • Checks for virtual machines (Figure 7)
  • Checks locale to make sure the malware is not running in specific countries (Figure 8). These countries appear to be a part of the Commonwealth of Independent States (CIS).

Figure 4: Virtual machine checks

Figure 5: Locale check

Command and Control

The C2 requests are nearly identical to the requests used in the latest version of Buer. The C2 functions are handled via HTTP(S) POST requests. The initial POST request will be sent with POST data delimitated by the '&' and '=' characters. The POST request contains both pseudorandom characters and encrypted information about the compromised system. An example command beacon can be seen in Figure 6:

Figure 6: RustyBuer initial POST request

Figure 7: Buer Loader initial POST request

An example of the plaintext parameter from Figure 8 with the pseudorandom characters removed is:

Yv3FHY+KQgL5YKs58+uRvGVZT8IS82xY+eij8SW/OhZd5Kk70Oryj8G4C5NB341+u9Xk8FFWvgdHoxrX68ZwZdrWO18fPzUeMJZvDfXcWKo0WaSad2RooXIPzbjPTqooMCxES4LVt/a812bqP8iJnuvZb1JIHa4m/eLC6hOGQBMSG8yY561aXdv+iLB3vhv8kww/1vhyIsmvxHzgcAzY9NWDSm/oZ3BfjAnfVCsgwQ6MebuHvEUXjyJBe6NsjRS+bYiLLrjO9HU=JbSYHpjfúÆ

These request parameters are encrypted. They can be decrypted by:

  1. Base64 decoding
  2. Hex decoding
  3. RC4 decryption (the key used in the analyzed samples was 'kpM5WOtfo')

The decrypted plaintext parameter from Figure 6 is:

299bc0beffe830d0871f8f6d7cadb40117208ea59f59cadd08b220b903f4e31c|e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855|Windows 7 Ultimate|x64|4|Admin|[Computer Name]|133/238|[AD Domain]|[User Name]|1

It contains pipe-delimited data consisting of:

  • Bot ID (SHA-256 hex digest of various system parameters such as hardware profile GUID and name, computer name, volume serial number, and CPUID)
  • An SHA-256 hash of its own executable image
  • Windows version
  • Architecture type
  • Number of processors
  • User privileges
  • Computer name
  • Space used / total (suspected)
  • AD Domain
  • User name

The response beacon can be decrypted similarly to the request parameter above, except that the hex-encoded bytes are separated by dash characters. As with Buer, the JSON object returned in the beacon response contains various options on how to download and execute a payload:

  • type - there are two types:
  • options - specifies options for the payload to download:
    • Hash - only applicable to 'update' type to determine whether a new update is available
    • x64 - whether the payload is 64-bit
    • FileType - not used in analyzed samples
    • AssemblyType - not used in analyzed samples
    • AccessToken - used to download the payload
    • External - indicates whether the payload is downloaded from the C&C or an external URL
  • method - method of execution
  • parameters - parameters to pass on the command line
  • pathToDrop - not used in analyzed samples
  • autorun - indicates whether to setup Registry RunOnce persistence for the payload
  • modules
  • timeout - not used in analyzed samples

Conclusion

Despite existing since 2019, the new variant of Buer loader malware suggests threat actors continue to modify their payloads in a likely attempt to evade detection. When paired with the attempts by threat actors leveraging RustyBuer to further legitimize their lures, it is possible the attack chain may be more effective in obtaining access and persistence. RustyBuer and the original Buer loader have been observed as a first-stage loader for additional payloads including Cobalt Strike and multiple ransomware strains, as well as possibly providing victim access to other threat actors in the underground marketplace. Proofpoint anticipates this activity will continue. Based on the frequency of RustyBuer campaigns observed by Proofpoint, researchers anticipate we will continue to see the new variant in the future.

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

Serevalutinoffice[.]com

Domain

C&C (RustyBuer)

orderverification-api[.]com

Domain

C&C (RustyBuer)

Gerstaonycostumers[.]com

Domain

C&C (RustyBuer)

authcert-ca[.]com

Domain

C&C (RustyBuer)

ocumentssign-api[.]com

Domain

C&C (RustyBuer)

docusigner-api[.]com

Domain

C&C (RustyBuer)

Miyfandecompany[.]com

URL

C&C (RustyBuer)

https://cembank-api[.]com

URL

C&C (RustyBuer)

http://213.252.244[.]114/ayhtvcgcfcfrgcdxdxdrcrhj

Payload

Cobalt Strike Payload

213.252.244[.]114

IP

Cobalt Strike C&C

https://techlog[.]xyz/page.icore

URL

Buer Payload

[email protected][.]uk

Email

Sender

[email protected][.]biz

Email

Sender

[email protected][.]uk

Email

Sender

[email protected][.]biz

Email

Sender

[email protected][.]net

Email

Sender

[email protected][.]org

Email

Sender

[email protected][.]org

Email

Sender

[email protected][.]org

Email

Sender

[email protected][.]org

Email

Sender

[email protected][.]com

Email

Sender

A061180b16f89099da6d34c5a3976968c19a3977c84ce0711ddfef6f7c355cac

SHA256

2021-04-12 Sample

3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac

SHA256

2021-04-19 Sample

ET Signatures

2848365 - RustyBuer Checkin