A new malware-as-a-service offering has been discovered by cybersecurity firm Sophos, providing an alternative to other well-known malware loaders like Emotet and BazarLoader. Buer, as the new malware has been dubbed, was first discovered in August 2019, when it was used to compromise Windows PCs, acting as a gateway for further attacks to follow.
“Buer was first advertised in a forum post on August 20, 2019 under the title “Modular Buer Loader”, described by its developers as ‘a new modular bot…written in pure C’ with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers),” Sean Gallagher, a Senior Threat Researcher at Sophos, explained. “For $350 (plus whatever fee a third-party guarantor takes), a cybercriminal can buy a custom loader and access to the C&C panel from a single IP address – with a $25 charge to change that address. Buer’s developers limit users to two addresses per account.”
Buer comes with bot functionality, specific to each download. The bots can be configured depending on a variety of filters, including whether the infected machine is 32 or 64 bit, the country where the exploit is taking place and what specific tasks are required.
A new threat
In September, Sophos discovered Buer as the root cause of a Ryuk ransomware attack, with the malware delivered via Google Docs and requiring the victim to enable scripted content in order to work. In this respect, Buer mimics Emotet and other loader malware variants.
Buer uses a stolen certificate issued by a Polish software developer in order to evade detection and checks for the presence of a debugger to ensure forensic analysis can be avoided.
Nevertheless, there are ways for individuals to protect themselves. Remaining vigilant against phishing attacks is essential, as is ensuring that the latest antivirus software is installed.