A previously undocumented modular loader has emerged as a lucrative tool for cybercriminals in a variety of campaigns. Researchers say the “highly competitive” loader, dubbed Buer, is intended for use by actors seeking a turn-key, off-the-shelf solution.
Researchers say they have spotted the loader being actively sold in prominent underground marketplaces since August 2019. Consequently, Buer has made an appearance in several malicious email campaigns and via exploit kits, to then download various strains of malware – from the TrickBot banking trojan to the KPOT information stealer.
“The new loader has robust geotargeting, system profiling and anti-analysis features and is currently being marketed on underground forums with value-added setup services,” said researchers with Proofpoint on Wednesday.
Buer in the Wild
Researchers first came across Buer in the wild in a slew of malicious August email messages, purporting to be replies to earlier legitimate email messages. The emails contained Microsoft Word attachments that used macros to download a next-stage payload.
Upon further analysis, researchers found the naming convention for this payload (verinstere222.xls or verinstere33.exe), was frequently associated with the Dreambot variant of Ursnif. However, they were surprised to find that the payload instead droppe Buer, an undocumented loader not previously observed in the wild.
“In the following weeks over September and October, Proofpoint researchers and other members of the infosec community observed several campaigns from the same actor dropping either the Dreambot variant of Ursnif or this new loader,” they said.
For instance, later in October researchers observed the loader being distribute via the Fallout exploit kit (EK), as part of a malvertising campaign in Australia. Once downloaded as part of this campaign, Buer then drop several second-stage malware payloads including KPOT stealer, Amadey malware and the Smoke Loader malware.
And, at the end of October, Buer was seen being spread via malicious email messages with subject lines such as “Penalty Notice # PKJWVBP” containing Microsoft Word attachments. These attachments contained macros that, if enabled, would execute Ostap, which would then download Buer. Buer would then in turn load TrickBot, a popular banking trojan, from its command-and-control (C2) server.
Technical Deep-Dive
Buer’s prevalence in multiple campaigns led researchers to conclude it was being sold in an underground marketplace to multiple actors. This was confirmed when they discovered an advertisement from August 16 on an underground forum describing a loader named “Buer” that matched the functionality of the malware. The advertisement described Buer’s simple and easy setup services which make it a lucrative buy for cybercriminals.
“We retrieved text from a bulletin-board posting by the author, in Russian, requesting a payment of $400 for the malware, and offering their services to set up the software for prospective customers in order to get it up and running,” researchers said. “The author also notes that updates and bug fixes are free of charge, but there is a $25 surcharge for ‘rebuilding to new addresses.’”
The advertisement also gave researchers an idea of some of Buer’s features and a description of its control panel, from which payloads and arbitrary commands can be executed.
The downloader is written in C, while its control panel is written in .NET core, a free and open-source software framework for Windows, Linux and macOS operating systems.
Researchers said that this programming enables the ability to easily install the control panel on Linux servers: “Built-in support for Docker containers will further facilitate its proliferation on rented hosts used for malicious purposes, and potentially, compromised hosts as well. The latter capability is included in its advertised features and release notes.”
Once downloaded, and before executing additional payloads, Buer has anti-analysis capabilities to avoid detection by researchers, which allow it to check for debuggers (programs used to test and debug other programs) and virtual machines. The loader also checks the locale of the system to make sure that the malware is not running in specific countries.
“This malware specifically checks for most CIS countries, including Russia,” Chris Dawson, threat intelligence lead at Proofpoint, told Threatpost. “This is relatively common for Russian-speaking actors operating in CIS countries or selling malware to actors in those countries.”
Finally, the loader achieves persistence by configuring a Registry RunOnce entry after download, researchers said. These are keys that cause programs to run each time that a user logs on (or be scheduled); so, the registry entry would either execute the malware directly or schedule a task to execute it.
Researchers warn that going forward, Buer’s author is constantly changing the loader, making it a fast-developing threat ripe for future use.
“The Russian-speaking author(s) is actively developing the downloader with sophisticated control panels and a rich feature set, making the malware competitive in underground markets,” they said.