Since the end of August 2019, researchers at Proofpoint have been tracking a new loader dubbed as ‘Buer’. It is said to use C and .NET Core programming languages for improved client and server exploitation. This downloader is sold on various dark web forums and contains a feature set like that of the Smoke Loader. Smoke Loader is known to have downloaded various banking trojans such as Ursnif and The Trick, whose main aim was to steal financial and banking credentials.
Noticeable Campaigns
- Proofpoint researchers first observed malicious email messages on August 28. These email’s contained Microsoft Word attachments that used Microsoft Office macros to download the next stage payloads from URLs including:
- hxxp://jf8df87sdfd.yesteryearrestorations[.]net/gate.php
- hxxp://93345fdd.libertycolegios[.]com/gate.php
The dropped payload was named verinstere222.xls or verinstere33.exe, which was an undocumented payload back then.
- On October 10, another instance of a malvertising campaign in Australia was discovered. It redirected to the Fallout Exploit Kit (EK) dropping the Buer loader that in turn dropped several second-stage malware payloads like KPOT stealer, Amadey, and Smoke Loader.
- The third appearance of this loader was detected on October 21, when Proofpoint researchers observed another malicious email message campaign containing Microsoft Word attachments with macros that, if enabled, would execute Ostap. Ostap was downloading this loader from the following URL: hxxps://185.130.104[.]187/nana/kum.php?pi=18b&[redacted]
The downloaded loader further loaded a secondary loader, The Trick “ono22”.
Features of Buer Loader
The Buer loader has been marketed on the dark web by a Russian author who seems to be selling the malware cheaper than an iPhone. For a mere US$ 400, the author is providing services of setting up the software and rendering free updates and bug fixes. Let’s have a look at its features now:
- The author emphasizes on high performance in both the client and server due to the choice of programming language. He states that the modular bot is written entirely in C and uses a control panel that uses .NET Core as its base language.
- As per the description, the bot has a total payload of 55 to 60 kilobytes, functions as a native Windows executable and dynamic link library, runs entirely in resident memory, and is compatible with 32-bit and 64-bit Microsoft Windows operating systems.
- The bot communicates over an HTTPS connection and can be updated remotely from the control panel after the decrypt as well as the rebuild.
- The author also notes that the loader runs as a surrogate process of a trusted application, and functions using User level privileges.
- Most notably, the software will not run in the CIS (former Soviet states, such as Russia).
This loader is evolving at a rapid pace and it is evident from the fact that even if the first two steps of loading are unsuccessful, Buer loader now has started executing its own process. This means it no longer depends on other payloads for the infection. Although researchers have not yet found evidence, but the authors advertise that Buer has built-in support for Docker containers that will further facilitate its proliferation on rented hosts used for malicious purposes. Buer, is a robust, geotargeting, system profiling, and anti-analysis loader deemed as the “Rising Star of the Dark Web”.