The Buer Trojan loader is what is often referred to as a Malware-as-a-Service. This means that the creators of the Buer Trojan are selling it as a commodity on underground online markets, and anyone who is willing to pay can take advantage of this hacking tool. This is threatening particularly, not only because there is no limit on how many con actors can distribute the threat but also because the Buer Trojan loader is a very well-developed tool. According to researchers, the Buer loader is a threat that has been built by Russian malware developers. Experts have spotted advertisements for the Buer Trojan written in Russian claiming that users who purchase the threat also will be provided with free customer support and regular updates. The full price for the Buer loader is $400, which is not a very high price for what its authors are offering. Malware researchers have spotted copies of the Buer Trojan in several different hacking campaigns, which led them to believe that there are already multiple ill-minded parties propagating the threat.
This Week In Malware Episode 30 Part2: Buer Loader Popularity Grows for Malware as a Service (MaaS) Attackers and Hackers
Plants Additional Malware on the Compromised Host
It would appear that the parties distributing the Buer loader may be employing phishing email campaigns. The fraudulent emails would often contain a macro-laced document file that carries the corrupted code of the threat. The Fallout Exploit Kit also has been identified as a tool used by the actors propagating the Buer Trojan. As a Trojan loader, the job of the Buer malware is to plant additional threats on the compromised host. Some of the threats that have been used as secondary payloads in the Buer Trojan campaigns are Amadey, TrickBot KPOT V2.0, among several others. The loader grabs payloads of the additional threats from the operators' C&C (Command & Control) server.
Self-Preservation and Persistence Gained
The authors of the Buer Trojan have made sure to implement some self-preservation techniques in their creation. Upon infecting the targeted host, the Buer loader will check if the penetrated system is used for threat analysis and malware debugging. The Buer Trojan will check for the presence of any software that would typically be present in a sandbox environment. This Trojan also checks if the system it has compromised is located in Russia or any other ex-Soviet state. If this is the case, the Buer Trojan will cease the operation. To gain persistence on the infected machine, the Buer loader will tamper with the Windows Registry. This will allow the Buer Trojan to run every time the compromised computer is restarted.
The authors of the Buer Trojan have kept their word and have released a significant number of updates since they began the operation. It is not likely that they will cease operating very soon as the interest in the Buer Trojan loader is growing.