Skip to main content
Buer Dropper

Buer is a modular MaaS downloader trojan sold on hacking forums. Advertised by its creators as a cheaper alternative to more established loaders such as Emotet, it has seen a massive increase in usage in the wake of Trickbot's takedown.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Buer is a modular MaaS downloader trojan sold on hacking forums. Advertised by its creators as a cheaper alternative to more established loaders such as Emotet, it has seen a massive increase in usage in the wake of Trickbot's takedown.


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

First observed in August 2019, Buer (AKA BuerLoader) is a modular malware-as-a-service (MaaS) dropper that competes with other downloader trojans such as Emotet and Bazar.

Written in C and ASP.NET Core MVC, it is sold through several dark web forums for less than £300


Delivery

As with most MaaS offerings, affiliate users are responsible for delivering Buer. However, at the time of publication, only one distribution chain has been observed. This chain bears many similarities to that used by Bazar, with a preliminary loader delivered via Google Docs links within highly tailored spear-phishing emails sent by a legitimate commercial email service. When a user interacts with these links, the loader calls out to a delivery URL to download an EXE file disguised as a Microsoft Office doc. it will then perform several checks to determine the affected system's location, terminating itself if it detects a match for CIS countries, before unpacking the EXE containing Buer. This is then loaded directly into the affected system's memory.


Activities

Once installed, Buer will execute two separate sets of PowerShell commands; one set to bypass command execution restrictions, and another to edit the Windows Defender file exclusion list. If successful, it then connects to a command and control sever, via HTTPS POST and GET messages, to retrieve any payloads which are then dropped with dynamically generated names in C:\ProgramData. Payloads dropped by Buer include the Cobalt Strike and Empire post-exploitation toolsets, and Ryuk ransomware.


Threat updates

Date Update
6 May 2021 New variant written in Rust

A new variant of the Buer malware is now being distributed written in the coding language of Rust. The new variant, known as RustyBuer, is being delivered via phishing in the guise of a DHL support email. The reason the new variant is being written in Rust could be to help avoid detection.


Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.


Indicators of compromise

Network indicators

IP addresses

  • 04.248.83[.]13

Host indicators

SHA256 hashes

  • 10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1
  • 32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5
  • 5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4
  • 6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d

Last edited: 6 May 2021 11:17 am