Buer (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.buer (Back to overview)

Buer

aka: Buerloader, RustyBuer

VTCollection

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.

References

2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot

2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader

2022-03-31 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2022-03-17 ⋅ Trend Micro ⋅ Trend Micro Research
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil

2022-01-20 ⋅ TEHTRIS ⋅ TEHTRIS
Buer Loader Analysis, a Rusted malware program
Buer

2021-11-05 ⋅ Trend Micro ⋅ Christopher Boyton
A Review and Analysis of 2021 Buer Loader Campaigns
Buer

2021-11-05 ⋅ Trend Micro ⋅ Christopher Boyton
An Analysis of Buer Loader
Buer

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-08-05 ⋅ Group-IB ⋅ Nikita Rostovcev, Viktor Okorokov
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot

2021-08-05 ⋅ The Record ⋅ Catalin Cimpanu
Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot

2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy

2021-07-19 ⋅ Fortinet ⋅ Fred Gutierrez, Val Saengphaibul
Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader
Buer

2021-05-03 ⋅ Proofpoint ⋅ Bryan Campbell, Kelsey Merriman, Proofpoint Threat Research Team, Selena Larson
New Variant of Buer Loader Written in Rust
Buer

2021-05-03 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
BuerLoader Updates
Buer

2021-03-18 ⋅ VIPRE ⋅ VIPRE Labs
Buer Loader Found in an Unusual Email Attachment
Buer

2021-03-01 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-25 ⋅ ANSSI ⋅ CERT-FR
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot

2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-01 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD SYMPHONY
Buer GOLD SYMPHONY

2021-01-01 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD BLACKBURN
Buer Dyre TrickBot WIZARD SPIDER

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-18 ⋅ Minerva Labs ⋅ Eddy Bobritsky
Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module
Buer

2020-11-09 ⋅ Area 1 ⋅ Threat Research Team
Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware
BazarBackdoor Buer

2020-10-29 ⋅ Twitter (@SophosLabs) ⋅ SophosLabs
Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk

2020-10-28 ⋅ SophosLabs Uncut ⋅ Anand Ajjan, Bill Kearny, Brett Cove, Elida Leite, Gabor Szappanos, Peter Mackenzie, Sean Gallagher, Syed Shahram
Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader

2020-09-29 ⋅ Zscaler ⋅ Atinderpal Singh, Mohd Sadique
Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer

2020-03-05 ⋅ Kaspersky Labs ⋅ AMR
Mokes and Buerak distributed under the guise of security certificates
Buer Mokes

2019-12-05 ⋅ KrabsOnSecurity ⋅ Mr. Krabs
Buer Loader, new Russian loader on the market with interesting persistence
Buer

2019-12-04 ⋅ Proofpoint ⋅ Axel F, Dennis Schwarz, Kafeine, Kelsey Merriman
Buer, a new loader emerges in the underground marketplace
Buer

2019-10-10 ⋅ Twitter (@StopMalvertisin) ⋅ Kimberly
Tweet on Malware Sample
Buer

Yara Rules

[TLP:WHITE] win_buer_auto (20241030 | Detects win.buer.)

rule win_buer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.buer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3bc7 7d0f 8a0c46 880c18 }
            // n = 4, score = 1100
            //   3bc7                 | cmp                 eax, edi
            //   7d0f                 | jge                 0x11
            //   8a0c46               | mov                 cl, byte ptr [esi + eax*2]
            //   880c18               | mov                 byte ptr [eax + ebx], cl

        $sequence_1 = { 40 3bc2 7cf1 eb02 }
            // n = 4, score = 1100
            //   40                   | inc                 eax
            //   3bc2                 | cmp                 eax, edx
            //   7cf1                 | jl                  0xfffffff3
            //   eb02                 | jmp                 4

        $sequence_2 = { 8d5001 85ff 7504 8bc2 }
            // n = 4, score = 1100
            //   8d5001               | lea                 edx, [eax + 1]
            //   85ff                 | test                edi, edi
            //   7504                 | jne                 6
            //   8bc2                 | mov                 eax, edx

        $sequence_3 = { 894144 8b45f0 03c2 8b55e8 015158 }
            // n = 5, score = 1100
            //   894144               | mov                 dword ptr [ecx + 0x44], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   03c2                 | add                 eax, edx
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   015158               | add                 dword ptr [ecx + 0x58], edx

        $sequence_4 = { 8b55e8 015158 8b55d8 894148 8b45dc 03c6 }
            // n = 6, score = 1100
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   015158               | add                 dword ptr [ecx + 0x58], edx
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   894148               | mov                 dword ptr [ecx + 0x48], eax
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   03c6                 | add                 eax, esi

        $sequence_5 = { 60 64a130000000 8b400c 8b4014 8b00 8b4010 8945fc }
            // n = 7, score = 1100
            //   60                   | pushal              
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_6 = { 8a0c46 880c18 40 3bc2 }
            // n = 4, score = 1100
            //   8a0c46               | mov                 cl, byte ptr [esi + eax*2]
            //   880c18               | mov                 byte ptr [eax + ebx], cl
            //   40                   | inc                 eax
            //   3bc2                 | cmp                 eax, edx

        $sequence_7 = { 83e801 7420 83e801 740b }
            // n = 4, score = 1100
            //   83e801               | sub                 eax, 1
            //   7420                 | je                  0x22
            //   83e801               | sub                 eax, 1
            //   740b                 | je                  0xd

        $sequence_8 = { 00c0 e9???????? f7da 890c24 8d6801 31c9 be3e000000 }
            // n = 7, score = 300
            //   00c0                 | add                 al, al
            //   e9????????           |                     
            //   f7da                 | neg                 edx
            //   890c24               | mov                 dword ptr [esp], ecx
            //   8d6801               | lea                 ebp, [eax + 1]
            //   31c9                 | xor                 ecx, ecx
            //   be3e000000           | mov                 esi, 0x3e

        $sequence_9 = { 017708 b803000000 31d2 83c418 5e 5f c3 }
            // n = 7, score = 300
            //   017708               | add                 dword ptr [edi + 8], esi
            //   b803000000           | mov                 eax, 3
            //   31d2                 | xor                 edx, edx
            //   83c418               | add                 esp, 0x18
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c3                   | ret                 

        $sequence_10 = { 09f2 09ca 09c2 b801000000 ebd0 }
            // n = 5, score = 300
            //   09f2                 | or                  edx, esi
            //   09ca                 | or                  edx, ecx
            //   09c2                 | or                  edx, eax
            //   b801000000           | mov                 eax, 1
            //   ebd0                 | jmp                 0xffffffd2

        $sequence_11 = { 0fb617 47 89f9 83e23f eb11 8b7c2410 8b5c2408 }
            // n = 7, score = 300
            //   0fb617               | movzx               edx, byte ptr [edi]
            //   47                   | inc                 edi
            //   89f9                 | mov                 ecx, edi
            //   83e23f               | and                 edx, 0x3f
            //   eb11                 | jmp                 0x13
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]

        $sequence_12 = { 01c7 0fa5da d3e3 8b4c2444 }
            // n = 4, score = 300
            //   01c7                 | add                 edi, eax
            //   0fa5da               | shld                edx, ebx, cl
            //   d3e3                 | shl                 ebx, cl
            //   8b4c2444             | mov                 ecx, dword ptr [esp + 0x44]

        $sequence_13 = { 0fa4c208 c1e008 0fb6cb 09c1 89c8 83c414 }
            // n = 6, score = 300
            //   0fa4c208             | shld                edx, eax, 8
            //   c1e008               | shl                 eax, 8
            //   0fb6cb               | movzx               ecx, bl
            //   09c1                 | or                  ecx, eax
            //   89c8                 | mov                 eax, ecx
            //   83c414               | add                 esp, 0x14

        $sequence_14 = { 01cf 0f92c1 08f9 751d }
            // n = 4, score = 300
            //   01cf                 | add                 edi, ecx
            //   0f92c1               | setb                cl
            //   08f9                 | or                  cl, bh
            //   751d                 | jne                 0x1f

        $sequence_15 = { 0f84d7010000 8b442418 8b5c2404 8b54242c 894c2408 01c8 }
            // n = 6, score = 300
            //   0f84d7010000         | je                  0x1dd
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b5c2404             | mov                 ebx, dword ptr [esp + 4]
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   01c8                 | add                 eax, ecx

    condition:
        7 of them and filesize < 3031040
}

Download all Yara Rules

Buer Propose Change

References

Yara Rules

Buer