The Buer Trojan loader is what is often referred to as a Malware-as-a-Service. This means that the creators of the Buer Trojan are selling it as a commodity on underground online markets, and anyone who is willing to pay can take advantage of this hacking tool. This is threatening particularly, not only because there is no limit on how many con actors can distribute the threat but also because the Buer Trojan loader is a very well-developed tool. According to researchers, the Buer loader is a threat that has been built by Russian malware developers. Experts have spotted advertisements for the Buer Trojan written in Russian claiming that users who purchase the threat also will be provided with free customer support and regular updates. The full price for the Buer loader is $400, which is not a very high price for what its authors are offering. Malware researchers have spotted copies of the Buer Trojan in several different hacking campaigns, which led them to believe that there are already multiple ill-minded parties propagating the threat.
Plants Additional Malware on the Compromised Host
It would appear that the parties distributing the Buer loader may be employing phishing email campaigns. The fraudulent emails would often contain a macro-laced document file that carries the corrupted code of the threat. The Fallout Exploit Kit also has been identified as a tool used by the actors propagating the Buer Trojan. As a Trojan loader, the job of the Buer malware is to plant additional threats on the compromised host. Some of the threats that have been used as secondary payloads in the Buer Trojan campaigns are Amadey, TrickBot KPOT V2.0, among several others. The loader grabs payloads of the additional threats from the operators' C&C (Command & Control) server.
Self-Preservation and Persistence Gained
The authors of the Buer Trojan have made sure to implement some self-preservation techniques in their creation. Upon infecting the targeted host, the Buer loader will check if the penetrated system is used for threat analysis and malware debugging. The Buer Trojan will check for the presence of any software that would typically be present in a sandbox environment. This Trojan also checks if the system it has compromised is located in Russia or any other ex-Soviet state. If this is the case, the Buer Trojan will cease the operation. To gain persistence on the infected machine, the Buer loader will tamper with the Windows Registry. This will allow the Buer Trojan to run every time the compromised computer is restarted.
The authors of the Buer Trojan have kept their word and have released a significant number of updates since they began the operation. It is not likely that they will cease operating very soon as the interest in the Buer Trojan loader is growing.
Do You Suspect Your PC May Be Infected with Buer & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Buer as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.