Overview
For several years, Proofpoint researchers have been tracking the use of first-stage downloaders, which are used by threat actors to install other forms of malware during and after their malicious email campaigns. In particular, over the last two years, these downloaders have become increasingly robust, providing advanced profiling and targeting capabilities.
More importantly, downloaders and other malware like botnets and banking Trojans have displaced ransomware as primary payloads, giving threat actors the flexibility to deploy a range of malware in secondary infections. For example, one of the most prevalent, Smoke Loader, has been used extensively to drop payloads such as Ursnif and The Trick banking Trojans, as well as using its own modules for credential and other information and data-stealing, among other malicious functions.
Since late August 2019, Proofpoint researchers have been tracking the development and sale of a new modular loader named Buer by its authors. Buer has features that are highly competitive with Smoke Loader, is being actively sold in prominent underground marketplaces, and is intended for use actors seeking a turn-key, off-the-shelf solution.
Campaigns
August 28, 2019
On August 28, Proofpoint researchers observed malicious email messages that appear to reply to earlier legitimate email conversations. They contained Microsoft Word attachments that use Microsoft Office macros to download the next stage payload.
Figure 1: Example Microsoft Word attachment used in the August 28, 2019, campaign
We observed the next-stage payload being downloaded from URLs including:
hxxp://jf8df87sdfd.yesteryearrestorations[.]net/gate.php
hxxp://93345fdd.libertycolegios[.]com/gate.php
The dropped payload was named verinstere222.xls or verinstere33.exe (a naming convention that the actor used during that period). Instead of the loader emerges underground marketplace