A new malware-as-a-service offering has been discovered by cybersecurity firm Sophos, providing an alternative to other well-known malware loaders like Emotet and BazarLoader. Buer, as the new malware has been dubbed, when it was used to compromise Windows PCs, acting as a gateway for further attacks to follow.
“Buer was first advertised in August 2019 under the title “Modular Buer Loader”, described by its developers as ‘a new modular bot…written in pure C’ with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers).
Buer comes with bot functionality, specific to each download. The bots can be configured depending on a variety of filters, including whether the infected machine is 32 or 64 bit, the country where the exploit is taking place and what specific tasks are required.
Sophos discovered Buer as the root cause of a Ryuk ransomware attack, with the malware delivered via Google Docs and requiring the victim to enable scripted content in order to work. In this respect, Buer mimics Emotet and other loader malware variants.
Buer uses a stolen certificate issued by a Polish software developer in order to evade detection and checks for the presence of a debugger to ensure forensic analysis can be avoided.
Nevertheless, there are ways for individuals to protect themselves. Remaining cautious against phishing attacks is essential, as is ensuring that the latest av soln is present and up-to-date.
