Security Experts Track the New Buer Loader

• Researchers have been tracking a new loader dubbed ‘Buer’ since the end of August 2019.
• This malware is said to use C and .NET Core programming languages for improved efficiency.

Recorded campaigns

This loader has been observed in multiple campaigns.

• On August 28, 2019, security experts spotted a campaign that involved malicious email messages pretending to be email replies to earlier messages. These emails had Microsoft Word attachments that downloaded the next stage payloads with the help of Microsoft Office macros.
• The next campaign was spotted on October 10, 2019, and targeted Australia. It was found to be redirecting to the Fallout Exploit Kit (EK) that dropped the new loader.
• Just a few days later, on October 21, 2019, another campaign came into the picture. This was yet another email campaign with Microsoft Word attachments.

The underground business scenario

An advertisement was found for the Buer loader in an underground forum on August 16.

• The features added to the advertised loader was found to be used in the subsequent campaigns.
• Researchers also found a summary of the loader’s functionality written in Russian. This was believed to be written by the original authors of the malware.

Features

According to the description in the advertisement, this loader has a number of features.

• It uses an HTTPS connection for communication and is compatible with 32-bit and 64-bit Microsoft Windows operating systems.
• The downloaded files are encrypted and stored. These files are secured with an access token.
• The software will not run in CIS that is, former Soviet states.

Technical release notes for a version of this loader was also discovered in the underground forum post.

This malware is growing to be competitive in the underground markets, with the authors including features and adding updates. Researchers from Proofpoint who tracked this loader have provided the list of IOCs that you can refer to.