What Is It?

Researchers at Proofpoint have been following the appearance of a new downloader, named Buer by its authors, since the latter part of August 2019. This downloader is sold on various dark web forums and contains a feature set that is similar to the highly prevalent Smoke Loader. Smoke Loader is known to have downloaded various trojans, including those specifically designed for stealing financial and banking credentials.

In previous Threat Reports we have discussed a subset of malware called downloaders (often shortened to just “loaders”). When used by attackers, a loader is the initial infection vector, designed to evade detection by endpoint security products and then download and execute one or more malicious payloads. Loaders provide attackers a great deal of flexibility as to the malicious payloads they can deploy and are generally used by attackers utilizing malware-as-a-service (MaaS) options. If a loader evades detection it can download a variety of malware families and variants by numerous unrelated attackers. Conversely, if a loader is detected and prevented from executed, then a wide range of attacks can be blocked.

In August, researchers first noticed Buer being installed on systems compromised by the tried and true method of a Microsoft Word document containing a malicious macro attached to a spam email. This was followed by several other malicious campaigns in September and October. While investigating, researchers found Buer was being sold for $400. The advertisement for its sale contained a lot of information regarding the feature set of the control panel, used by the purchaser to monitor infections and interact with infected systems. Obviously, this is an important aspect for potential customers, usually less technically-skilled attackers, who choose MaaS.

The primary function of the Buer loader is to download and execute other malware. To achieve this Buer needs to evade detection, which it attempts with common methods such as checking for virtual machines, debuggers and that it is not running on systems in various former Soviet countries. It also encrypts strings and obfuscates Windows system calls. Researchers also found support for downloading additional modules, though they did not observe this behavior as of yet.

How Does It Propagate?

Buer loader does not contain the necessary code to self-propagate. It has been observed being distributed by spam campaigns containing Word document attachments with malicious macros.

When/How Did BluVector Detect It?

Five samples listed in the research report are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 38 months prior to their release.