SYMBOLCOMMON_NAMEaka. SYNONYMS
win.buer (Back to overview)

Buer


Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.

References
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18Minerva LabsEddy Bobritsky
@online{bobritsky:20201118:stopping:e5c486b, author = {Eddy Bobritsky}, title = {{Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module}}, date = {2020-11-18}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/stopping-buerloader}, language = {English}, urldate = {2020-11-19} } Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module
Buer
2020-11-09Area 1Threat Research Team
@online{team:20201109:phishing:a25a567, author = {Threat Research Team}, title = {{Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware}}, date = {2020-11-09}, organization = {Area 1}, url = {https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/}, language = {English}, urldate = {2020-11-18} } Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware
BazarBackdoor Buer
2020-10-29Twitter (@SophosLabs)SophosLabs
@online{sophoslabs:20201029:similarities:408a640, author = {SophosLabs}, title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}}, date = {2020-10-29}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1321844306970251265}, language = {English}, urldate = {2020-11-02} } Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk
2020-10-28SophosLabs UncutSean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051, author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos}, title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}}, date = {2020-10-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/}, language = {English}, urldate = {2020-11-02} } Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader
2020-09-29ZscalerMohd Sadique, Atinderpal Singh
@online{sadique:20200929:spear:de79be6, author = {Mohd Sadique and Atinderpal Singh}, title = {{Spear Phishing Campaign Delivers Buer and Bazar Malware}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware}, language = {English}, urldate = {2020-10-15} } Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer
2020-03-05Kaspersky LabsAMR
@online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } Mokes and Buerak distributed under the guise of security certificates
Buer Mokes
2019-12-05KrabsOnSecurityMr. Krabs
@online{krabs:20191205:buer:9c3cf72, author = {Mr. Krabs}, title = {{Buer Loader, new Russian loader on the market with interesting persistence}}, date = {2019-12-05}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/}, language = {English}, urldate = {2020-01-08} } Buer Loader, new Russian loader on the market with interesting persistence
Buer
2019-12-04ProofpointKelsey Merriman, Dennis Schwarz, Kafeine, Axel F
@online{merriman:20191204:buer:6c413aa, author = {Kelsey Merriman and Dennis Schwarz and Kafeine and Axel F}, title = {{Buer, a new loader emerges in the underground marketplace}}, date = {2019-12-04}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace}, language = {English}, urldate = {2020-01-06} } Buer, a new loader emerges in the underground marketplace
Buer
2019-10-10Twitter (@StopMalvertisin)Kimberly
@online{kimberly:20191010:malware:032ed3c, author = {Kimberly}, title = {{Tweet on Malware Sample}}, date = {2019-10-10}, organization = {Twitter (@StopMalvertisin)}, url = {https://twitter.com/StopMalvertisin/status/1182505434231398401}, language = {English}, urldate = {2020-01-10} } Tweet on Malware Sample
Buer
Yara Rules
[TLP:WHITE] win_buer_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_buer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4dfc 894dec 8b4ddc 03cf }
            // n = 4, score = 600
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   03cf                 | add                 ecx, edi

        $sequence_1 = { 33db 215df8 8945ec 85ff 0f8e85000000 }
            // n = 5, score = 600
            //   33db                 | xor                 ebx, ebx
            //   215df8               | and                 dword ptr [ebp - 8], ebx
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   85ff                 | test                edi, edi
            //   0f8e85000000         | jle                 0x8b

        $sequence_2 = { 8b75f4 894dd8 33f0 8b4dec 2375f0 894de8 8b4dfc }
            // n = 7, score = 600
            //   8b75f4               | mov                 esi, dword ptr [ebp - 0xc]
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   33f0                 | xor                 esi, eax
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   2375f0               | and                 esi, dword ptr [ebp - 0x10]
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_3 = { a3???????? 8bce e8???????? ba8b1374ea a3???????? 8bce }
            // n = 6, score = 600
            //   a3????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   ba8b1374ea           | mov                 edx, 0xea74138b
            //   a3????????           |                     
            //   8bce                 | mov                 ecx, esi

        $sequence_4 = { e8???????? ba529461ed a3???????? 8bce e8???????? ba5ee2ff7b }
            // n = 6, score = 600
            //   e8????????           |                     
            //   ba529461ed           | mov                 edx, 0xed619452
            //   a3????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   ba5ee2ff7b           | mov                 edx, 0x7bffe25e

        $sequence_5 = { c9 c3 33c0 3801 }
            // n = 4, score = 600
            //   c9                   | leave               
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   3801                 | cmp                 byte ptr [ecx], al

        $sequence_6 = { 2bc7 8bce d1f8 8d044502000000 50 e8???????? }
            // n = 6, score = 600
            //   2bc7                 | sub                 eax, edi
            //   8bce                 | mov                 ecx, esi
            //   d1f8                 | sar                 eax, 1
            //   8d044502000000       | lea                 eax, [eax*2 + 2]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 6a06 b9???????? e8???????? 6a09 b9???????? e8???????? }
            // n = 6, score = 600
            //   6a06                 | push                6
            //   b9????????           |                     
            //   e8????????           |                     
            //   6a09                 | push                9
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_8 = { 88463d 8a4663 88463c 8a4664 }
            // n = 4, score = 600
            //   88463d               | mov                 byte ptr [esi + 0x3d], al
            //   8a4663               | mov                 al, byte ptr [esi + 0x63]
            //   88463c               | mov                 byte ptr [esi + 0x3c], al
            //   8a4664               | mov                 al, byte ptr [esi + 0x64]

        $sequence_9 = { 7410 83e806 740b 83e807 }
            // n = 4, score = 600
            //   7410                 | je                  0x12
            //   83e806               | sub                 eax, 6
            //   740b                 | je                  0xd
            //   83e807               | sub                 eax, 7

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules