A fast-spreading malware-as-a-service offering could be providing an alternative to other well-known malware loaders like Emotet and BazarLoader, experts have warned.
Buer was first discovered in August 2019, when it was used to compromise Windows PCs, acting as a gateway for further attacks to follow.
Buer comes with bot functionality, specific to each download. The bots can be configured depending on a variety of filters, including whether the infected machine is 32 or 64 bit, the country where the exploit is taking place and what specific tasks are required.
- We've put together a list of the best malware removal software
- The best antivirus software available today
- Also check out our roundup of the best endpoint protection solutions
“Buer was first advertised in a forum post on August 20, 2019 under the title “Modular Buer Loader”, described by its developers as 'a new modular bot…written in pure C' with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers),” Sean Gallagher, a Senior Threat Researcher at Sophos, explained.
“For $350 (plus whatever fee a third-party guarantor takes), a cybercriminal can buy a custom loader and access to the C&C panel from a single IP address - with a $25 charge to change that address. Buer’s developers limit users to two addresses per account.”
A new threat
In September, Buer was found at the root cause of a Ryuk ransomware attack, with the malware delivered via Google Docs and requiring the victim to enable scripted content in order to work. In this respect, Buer mimics Emotet and other loader malware variants.
Buer uses a stolen certificate issued by a Polish software developer in order to evade detection and checks for the presence of a debugger to ensure forensic analysis can be avoided.
Nevertheless, there are ways for individuals to protect themselves. Remaining vigilant against phishing attacks is essential, as is ensuring that the latest antivirus software is installed.
- Keep your devices protected online with the best ransomware protection software