# An Analysis of Buer Loader

##### Trend Micro Research


-----

### Overview

Buer Loader, detected by Trend Micro as Trojan.Win32.BUERLOADER, was first observed when it was
advertised as a modular loader in August 2019. Since then, Buer Loader has continued its activity and
shown signs of further development. Buer Loader's main function is to download and execute additional
payloads. It can be used in compromised networks to distribute secondary payloads.

When it first entered the underground market, it was deliberately priced lower than Smoke Loader and
Amadey, which were its direct competitors. This was an indication that the threat actors behind its
distribution wanted to release a competitive product. As of this writing, we have identified one actor as its
distributor with many different operators using the service. Although the loader was competitively priced —
at one point even poised to compete with Emotet[1] — from our observations, its popularity has not reached
that of competitors like BazarLoader.

However, Buer Loader is still worth monitoring because of its continuing development and activity, such as
its involvement in targeted ransomware attacks. The loader is known to be used to deploy Cobalt Strike,
Wizard Spider (aka TrickBot) payloads, as well as payloads of other well-known ransomware, such as
Ryuk.

Recent updates of this loader are also worth reviewing. Originally, Buer Loader was written in C with a
control panel written in .NET,[2] but a newer version was observed in the second quarter of 2021, notably
rewritten in Rust. This Rust variant of Buer Loader, also known as RustyBuer, is the main focus of this
analysis. We also take note of this variant’s use of signed XLL files in our analysis.

To get a better understanding of Buer Loader and its activities, we first give a timeline of its iterations and
overall capabilities. As previously mentioned, Buer Loader dates back to August 2019, and has since then
been updated and used in different campaigns.

#### A Timeline of Noteworthy Buer Loader Events

As this table shows, Buer Loader gained popularity in 2020 after its initial inception. More importantly,
developments in 2021 indicate that Buer Loader will continue to be active in the near future.

**Date** **Event**
Aug 2019 - A threat actor advertises "Modular Buer Loader."[3]

          - The loader uses emails with Word attachments containing macros to download
the next stage.

          - Screenshots used as advertisements indicate that the loader was in development
at the beginning of 2019 (as discussed further in the section titled, “Buer Loader
Control Panel”).
Oct 2019 - The loader is used as part of a malvertising campaign in Australia using Fallout

EK. It dropped the KPOT stealer, Amadey, and Smoke Loader.[4]
Sep 2020 - The loader gained popularity and is considered an alternative to Emotet for
distributing Ryuk. Buer and Ryuk are found to be using the same shellcode loader
to execute the unpacked malware code in memory.[5]
Oct 2020 - The loader moves away from Google Docs and begins using Constant Contact.[6]
May 2021 - A new strain dubbed “RustyBuer” is observed written in RUST.[7]
Jul 2021 - It is observed that a signed XLL file delivers Buer Loader.[8]

Table 1. Buer Loader's activity timeline

|Date|Event|
|---|---|
|Aug 2019|• A threat actor advertises "Modular Buer Loader."3 • The loader uses emails with Word attachments containing macros to download the next stage. • Screenshots used as advertisements indicate that the loader was in development at the beginning of 2019 (as discussed further in the section titled, “Buer Loader Control Panel”).|
|Oct 2019|• The loader is used as part of a malvertising campaign in Australia using Fallout EK. It dropped the KPOT stealer, Amadey, and Smoke Loader.4|
|Sep 2020|• The loader gained popularity and is considered an alternative to Emotet for distributing Ryuk. Buer and Ryuk are found to be using the same shellcode loader to execute the unpacked malware code in memory.5|
|Oct 2020|• The loader moves away from Google Docs and begins using Constant Contact.6|
|May 2021|• A new strain dubbed “RustyBuer” is observed written in RUST.7|
|Jul 2021|• It is observed that a signed XLL file delivers Buer Loader.8|


-----

#### Buer Loader Capabilities

The primary capability of Buer Loader is to deploy a payload to infected machines with a variety of download
and execution options, which can be customized via a user-friendly control panel. We list down these
capabilities in the following table.

**Capability** **Impact**
Geotargeting/System profiling Geotargeting allows an actor to ensure that Commonwealth of
Independent States (CIS) countries are not targeted, likely as an
effort to avoid drawing the attention of local law enforcement.
System profiling, meanwhile, helps the actor ensure that the
payload is crafted for maximum impact.
Command-and-control (C&C) Base64-encoded C2 POST requests are used to send back system
communication via HTTPS POST information that facilitates system profiling.

A JSON object is returned by an actor in the beacon response,
which contains the configuration for how a payload will be
downloaded and executed.
Support for multiple architectures This works on Windows 7 x86/x64 and Windows 10 x86/x64
Panel can be expanded to Docker This releases notes to make a reference to suggest that the control
panel can be integrated into a Docker host. It is currently unknown
if this is an owned host or compromised host.
Support for self updates The JSON response beacon contains a file hash that can be used
to check for updates.
Table 2. List of Buer Loader capabilities and their impacts

We give a more detailed analysis of Buer Loader in a later section and list down the various campaigns it
has been a part of.

#### Buer Loader Activity Summary

We begin by summarizing Buer Loader’s activities, from its release in August 2019 to its most recent
iteration in the second quarter of 2021. We also break down the regions that saw the greatest number of
Buer Loader detections and the industries in which it is often detected based on our data.

Based on our Trend Micro™ Smart Protection Network™ (SPN) detections, we can see that Buer Loader
had the most active detections in India, followed by Israel. The top 10 countries where we detected the
most activity from Buer Loader can be seen in Figure 1.

|Capability|Impact|
|---|---|
|Geotargeting/System profiling|Geotargeting allows an actor to ensure that Commonwealth of Independent States (CIS) countries are not targeted, likely as an effort to avoid drawing the attention of local law enforcement. System profiling, meanwhile, helps the actor ensure that the payload is crafted for maximum impact.|
|Command-and-control (C&C) communication via HTTPS POST|Base64-encoded C2 POST requests are used to send back system information that facilitates system profiling. A JSON object is returned by an actor in the beacon response, which contains the configuration for how a payload will be downloaded and executed.|
|Support for multiple architectures|This works on Windows 7 x86/x64 and Windows 10 x86/x64|
|Panel can be expanded to Docker|This releases notes to make a reference to suggest that the control panel can be integrated into a Docker host. It is currently unknown if this is an owned host or compromised host.|
|Support for self updates|The JSON response beacon contains a file hash that can be used to check for updates.|


-----

Figure 1. Trend Micro Smart Protection Network global detections from January 2019 to November 1,

2021.

Based on our detections, the healthcare, banking, and telecommunications industries saw the most
detections of Buer Loader.

Figure 2. Trend Micro Smart Protection Network detections broken down by industry from January 2019

to November 1, 2021


-----

### Malware Analysis

Buer Loader has had several variations over the years, notably its use of Covid-19-related topics as a cover
for its malicious files, but it typically follows the stages described in Figure 3. In this section, we detail how
Buer Loader works based on the more recent Rust version of the malware.

Figure 3. The Buer loader kill chain

#### Buer Loader Arrival

As mentioned earlier, Buer Loader has undergone several variations over the years. This can be seen in
its arrival method, which has changed every year since it was first discovered.

Figure 4. Variations in Buer Loader’s arrival


-----

A notable aspect of Buer Loader’s arrival is its use of malicious Microsoft Word and Microsoft Excel
documents containing an embedded VBA macro that creates a process via WMI. This leads to a Base64encoded command that is executed by PowerShell.

Figure 5. Sample malicious Excel document used by Buer Loader

Olevba, a script for parsing OLE and OpenXML files, helps create the analysis table as seen in Figure 6.
The analysis shows AutoExec macro and PowerShell commands; the macro function itself is obfuscated
using Hex-encoded strings that must be concatenated, reordered, and decoded.


-----

Figure 6. Analysis table from olevba

It can be observed in the following VB script that “YNC_Status_ZDUZD” is passed as an argument to
complete the PowerShell command.

Figure 7. Function for executing the encoded PowerShell command

We reproduced this activity in a lab environment, and we confirmed that Behavior Monitoring terminates
the process before the command can be executed. The process chain seen in Figure 8 is taken from an
execution profile on the Trend Micro Vision One™ console.


-----

Figure 8. Execution profile for Buer Loader’s malicious document on the Trend Micro Vision One console

Further inspection of the command being executed by cmd.exe shows the full base64 command. The
Behavior Monitoring process termination is triggered by PolicyId: FLS.ISB.4037T.

Figure 9. Base64-encoded PowerShell command

The decoded command shows the creation of a web request to retrieve Buer Loader from softersyu[.]com.
The “IO.MemoryStream” triggers the Behavior Monitoring termination of “cmd.exe.” The loader is then
saved to \ProgramData\, and the process is started.

Figure 10. The decoded command


-----

#### Buer Loader Installation

As for Buer Loader’s installation, the beacon response can be configured to use one of two options provided
to the operator for achieving persistence. These options are to either use a shortcut (LNK) that runs on
startup or create a RunOnce registry key.

##### Anti-Analysis / Anti-Sandbox Routines

Buer Loader also uses code obfuscation techniques (call, push, ret) that are used to make analysis more
difficult. Additionally, the loader makes use of several time-based evasion techniques:

  - Reading the Windows installation date

  - Querying the system time

  - Using long sleep periods to make dynamic analysis difficult

Figure 11. Use of the Sleep function to hinder dynamic analysis

There are potential dummy code loops in its code, which could be an attempt to further delay analysis.
The loader enumerates processes or threads by making use of the Windows API functions
CreateToolhelp32Snapshot and ProcessInformation.

Once the processes have been enumerated, the malware proceeds to check for sandboxes and analysis
tools. The GetProcessHeap and IsDebuggerPresent functions are used to detect if the malware is being
debugged.

Figure 12. Function to check if the executable is being debugged

##### System Information Discovery

As mentioned earlier, the loader uses several time-based evasion techniques. To do this, it would need to
gather information on the infected system. Buer Loader’s code reveals several of the functionalities that
would allow it to get information on the system.


-----

One such functionality is to query local or system time, or GetSystemTimeAsFileTime as seen in Figure
13.

Figure 13. GetSystemTimeAsFileTime used to query the system time

Another functionality that this loader contains is to enumerate processes or threads and query a list of all
running processes by using CreateToolhelp32Snapshot and ProcessInformation.

The loader is designed to behave differently if executed on a Russian or Kazak computer as seen with
the help of NtQueryDefaultLocale@NTDLL.DLL in Figure 14.

Figure 14. Checking if the system is located in a CIS country

The loader contains functions for attempting to detect sandboxes and other analysis tools using the
following process names, modules, or functions:

  - VBOXSERVICE.EXE

  - VBOXTRAY.EXE

  - VMTOOLSD.EXE

  - VMWARETRAY.EXE

  - VMWAREUSER.EXE

  - VGAUTHSERVICE.EXE

  - VMACTHLP.EXE

  - VMSRVC.EXE

  - VMUSRVC.EXE

  - PRL_CC.EXE

  - PRL_TOOLS.EXE

  - XENSERVICE.EXE

  - QEMU-GA.EXE

  - WINDANR.EXE


-----

A Rust crate (hxxps://github[.]com/libcala/whoami) is used to retrieve system information that is to be sent
in an HTTP POST request to the C&C.

Figure 15. Use of Rust crate to determine system information

#### Signed XLL File for Buer Loader Delivery

One of the notable changes made by Buer Loader was the purchase of Sectigo OV Code Signing
certificates. This allowed for a new delivery mechanism, observed as the use of a signed XLL file, to deliver
Buer Loader. The value of signed certificates for the loader is that they can mislead personnel tasked to
defend the system.

Figure 16. XLL version of Buer Loader that is digitally signed

Checking the certificate information shows that the certificate is issued to the owner of khorum[.]ru. A whois
lookup reveals that the domain was registered shortly after the certificates appeared for sale on the
exploit[.]im forum.


-----

Figure 17. Whois information for khorum[.]ru

The certificate issued by Sectigo RSA Code Signing certificate authority (CA) was originally issued for one
year but has been revoked by the issuer.

Figure 18. The revoked Sectigo certificate

#### Buer Loader Control Panel

Much information can also be garnered from Buer Loader’s control panel, which incorporates several
features that allow the operator to easily monitor statistics in real time. The screenshots from this section
(Figures 19 to 22) were provided by the threat actor to advertise the loader. From an investigator’s
standpoint, these images give us insight into the operation.


-----

An interesting observation is that although the loader was first advertised in August 2019, activity on its
control panel was dated December 2018. Therefore, this image of the control panel is more than likely a
test environment for the actor. The tabs seen at the very top of Figure 19 translate to statistics, tasks, and
files. The panel, meanwhile, highlights the number of machines that are online, infected, or no longer calling
back to the C&C server.

Figure 19. The Buer Loader control panel[9]

Although the screenshots are for an earlier version, it is likely that the functionality has not changed
significantly. The reason for this assumption is that when Buer Loader was rewritten in Rust, it was still a
copy of its C version to maintain compatibility with the C&C infrastructure and the control panel.

Figure 20 shows the tasks tab that contains a task manager for tracking the ongoing deployment of
payloads. It also includes the ability to add updates for the payloads.

Figure 20. Buer Loader control panel showing its task manager[10]


-----

Figure 21 shows the Files tab, which is where the payloads are managed. Payloads can be uploaded here
for deployment. It also tracks the number of hosts that have downloaded a particular payload.

Figure 21. Buer Loader control panel showing its file management[11]

The control panel gives the operator the ability to customize options for tasks as shown here. It also allows
the operator to decide on the following options:

  - Architecture

  - Administrator rights (admin/user)

  - Number of CPU cores required

  - File name

  - Quantity (option to limit the number of executions)

  - Execution method (MemLoad/CreateProcess/ShellExecute)

  - Command-line argument

  - Method of persistence


-----

Figure 22. Buer Loader control panel showing its payload configuration[12]

As can be seen in these screenshots, the control panel looks to be very user-friendly and organized. To
investigators, this gives an overview of the capabilities of Buer Loader and the ways that it can be
customized.

#### Variant Written in Rust

Aside from the use of signed certificates, a relatively well-known change in Buer Loader was the shift to the
Rust programming language, as it had previously been written in C. There are several possible reasons for
this shift.

One possible reason is that Rust is becoming a popular alternative to C. This increased popularity can be
attributed to its efficiency, since it is low-level enough to maximize performance and run faster than C. Rust
can also efficiently combine multiple functions or libraries.

Another possible reason for the shift is that it is an attempt to make detections based on C obsolete. No
significant changes were done to the loader when it was rewritten from C to Rust, which means it maintained
compatibility with the existing Buer C&C infrastructure. This could indicate that the shift to Rust was an
attempt to make detections of its C version obsolete, or more simply to indicate a change in personnel
behind the development of the loader.


-----

### 2021 Campaigns Using Buer Loader 

In a campaign involving Buer Loader, the operator sets up a domain to facilitate C&C as part of the
campaign’s service. For investigators, this makes it easier to track campaigns involving Buer Loader, since
different operators will be using one domain at a time. Customers or other threat actors of this service
therefore have the option to move to a new domain, but this would come at an additional cost.

Aside from being rewritten in Rust, another notable aspect of 2021 campaigns that used Buer Loader was
their use of DHL and Covid-19 as a cover for their email and malicious file attachments, which were either
Word or Excel files. The threat actors tried to make the emails appear as legitimate as possible to convince
users to enable macros, as noted in the section discussing the arrival stage of Buer Loader.

Initially, Buer Loader used DHL as a cover, eventually mixing in Covid-19-related topics, before shifting to
Covid-19 entirely. Figure 23 is an example of an email that uses both DHL and Covid-19 as a cover for its
malicious content.

Figure 23. The DHL-themed lure with a reference to Covid-19


-----

We list down examples of 2021 campaigns that involved Buer Loader and their indicators in Table 3.

**Date** **Indicator** **Indicator**
Aug 2021 RustyBuer - 2b093ef5eef05f81d6b69c61951091a399ccf6dbc42df822c40f351
46a04523c
C2 server        - cerionetya[.]com
C2 server IP        - 104[.]248[.]244[.]25

                 - 161[.]35[.]155[.]123

Aug 2021 RustyBuer - 3c509e24ce23d756ebb4225fc3e7091abbb6a1b617f32557e5f4d
8d9f594416c
C2 server        - Bostauherde[.]com
C2 server IP        - 207[.]154[.]216[.]70

Aug 2021 RustyBuer - 5f6bbd8a228200f32915edd97f2762734b7e45fb24a3cf01ac8380
90e7e4d45e
C2 server        - Awmelisers[.]com
C2 server IP        - 142[.]93[.]102[.]244

Jul 2021 RustyBuer - 5f6bbd8a228200f32915edd97f2762734b7e45fb24a3cf01ac8380
90e7e4d45e
C2 server        - Awmelisers[.]com
C2 server IP        - 142[.]93[.]102[.]244

Jul 2021 RustyBuer - 001405ded84e227092bafe165117888d423719d7d75554025ec4
10d1d6558925
C2 server        - seryanjek[.]com
C2 server IP        - 161[.]35[.]210[.]224

Apr 2021 RustyBuer - edc3b5f8d45d7a1cceee144e57fc5ddfaf8c0c7407a1514d2f3bab4
f3c9f18b8
C2 server        - Vesupyny[.]com
C2 server IP        - 161[.]35[.]21[.]48

                 - 167[.]99[.]202[.]172
Table 3. A summary of Buer Loader campaigns and related indicators

### Buer Loader Infrastructure and C&C Analysis

With respect to infrastructure, the C&C functionality for Buer Loader is handled by HTTPS POST requests.
These requests contain encrypted system information from the infected machine. These are also padded
out with randomly generated text. The requests use the following to encrypt or encode the information:[13]

  - Base64

  - Hex encoding

  - RC4 encryption

|Date|Indicator|Indicator|
|---|---|---|
|Aug 2021|RustyBuer|• 2b093ef5eef05f81d6b69c61951091a399ccf6dbc42df822c40f351 46a04523c|
||C2 server|• cerionetya[.]com|
||C2 server IP|• 104[.]248[.]244[.]25 • 161[.]35[.]155[.]123|
||||
|Aug 2021|RustyBuer|• 3c509e24ce23d756ebb4225fc3e7091abbb6a1b617f32557e5f4d 8d9f594416c|
||C2 server|• Bostauherde[.]com|
||C2 server IP|• 207[.]154[.]216[.]70|
||||
|Aug 2021|RustyBuer|• 5f6bbd8a228200f32915edd97f2762734b7e45fb24a3cf01ac8380 90e7e4d45e|
||C2 server|• Awmelisers[.]com|
||C2 server IP|• 142[.]93[.]102[.]244|
||||
|Jul 2021|RustyBuer|• 5f6bbd8a228200f32915edd97f2762734b7e45fb24a3cf01ac8380 90e7e4d45e|
||C2 server|• Awmelisers[.]com|
||C2 server IP|• 142[.]93[.]102[.]244|
||||
|Jul 2021|RustyBuer|• 001405ded84e227092bafe165117888d423719d7d75554025ec4 10d1d6558925|
||C2 server|• seryanjek[.]com|
||C2 server IP|• 161[.]35[.]210[.]224|
||||
|Apr 2021|RustyBuer|• edc3b5f8d45d7a1cceee144e57fc5ddfaf8c0c7407a1514d2f3bab4 f3c9f18b8|
||C2 server|• Vesupyny[.]com|
||C2 server IP|• 161[.]35[.]21[.]48 • 167[.]99[.]202[.]172|


-----

An example of the POST request can be seen in Figure 23. We can see that there are chunks of data that
are delimited by “=” and that contain random strings appended with the “&” at the end. The number of
characters of randomly generated text varies from six to eight characters. Once the random characters are
removed, the string can be decoded using an RC4 key.

Figure 23. POST request containing system information

The following is an example of a decoded string:

299bc0beffe830d0871f8f6d7cadb40117208ea59f59cadd08b220b903f4e31c|e3b0c44298fc1c149afbf4c8
996fb92427ae41e4649b934ca495991b7852b855|Windows 7 Ultimate|x64|4|Admin|[Computer
Name]|133/238|[AD Domain]|[User Name]|1

The piped string contains digests of system parameters and the loader itself. The piped string is broken
down in the next table.

**Information sent to C&C** **Note**

Bot ID SHA256 of system parameters

SHA256 of loader

Windows version Used in control panel

Architecture Used in control panel

Number of processors Used in control panel

User privileges Possibly to identify opportunities for access as a service (AaaS)

Computer name Used in control panel

Space used/total space

Active Directory (AD) Domain

Username

Table 4. HTTPS POST information

|Information sent to C&C|Note|
|---|---|
|Bot ID|SHA256 of system parameters|
|SHA256 of loader||
|Windows version|Used in control panel|
|Architecture|Used in control panel|
|Number of processors|Used in control panel|
|User privileges|Possibly to identify opportunities for access as a service (AaaS)|
|Computer name|Used in control panel|
|Space used/total space||
|Active Directory (AD) Domain||
|Username||


-----

|JSON object|Note|
|---|---|
|Type|Option to update itself or download and execute|
|Options • Hash • x64 • FileType • AssemblyType • AccessToken • External|Hash used for checking updates AccessToken used to download the payload External – Payload from C&C or another URL|
|Method|Execution method to be employed|
|Parameters|Command-line arguments|
|pathToDrop|Specify path where the payload will download to|
|Autorun|Used to specify persistence via a RunOnce registry key|
|Modules|Future prebuilt modules advertised|
|Timeout|Possible debug function|


Table 5. JSON response beacon

## The future of Buer Loader

Changes from Microsoft might influence the future of Buer Loader. The company’s announcement that
Excel 4.0 VBA macros will be disabled by default could greatly make an impact on Buer Loader’s execution
phase, as is the case for most malware families in general. We expect the threat actors behind Buer Loader
to move from using VBA macros to another method of executing the loader. Our monitoring of discussions
with regard to the VBA macros being disabled on underground forums seems to show that threat actors will
focus on users themselves as the main vulnerability.

## Tactics and Techniques

#### Mitre ATT&CK


-----

## References

1 Sean Gallagher. (Oct. 28, 2020). Sophos. “Hacks for sale: inside the Buer Loader malware-as-a-service.”
[Accessed on Oct. 25, 2021, at https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-](https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/)
[loader-malware-as-a-service/.](https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/)

2 CISOMAG. (Dec. 9, 2019). CISOMAG. “Buer, a New Loader Discovered in Several Malware Campaigns.”
Accessed on Oct. 28, 2021, at [https://cisomag.eccouncil.org/buer-loader-a-rising-superstar-of-the-dark-](https://cisomag.eccouncil.org/buer-loader-a-rising-superstar-of-the-dark-web/)
[web/.](https://cisomag.eccouncil.org/buer-loader-a-rising-superstar-of-the-dark-web/)

3 Viktor Okorokov and Nikita Rostovcev. (Aug. 5, 2021). Group-IB. “Prometheus TDS.” Accessed on Oct.
[14, 2021, at https://blog.group-ib.com/prometheus-tds.](https://blog.group-ib.com/prometheus-tds)

4 Kelsey Merriman, Dennis Schwarz, Kafeince, and Axel F. (Dec. 4, 2019). Proofpoint. “Buer, a new loader
emerges in the underground marketplace.” Accessed on Oct. 14, 2021, at
[https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace.](https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace)

5 Sean Gallagher. (Oct. 28, 2020). Sophos. “Hacks for sale: inside the Buer Loader malware-as-a-service.”
[Accessed on Oct. 25, 2021, at https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-](https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/)
[loader-malware-as-a-service/.](https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/)

6 Sean Gallagher. (Oct. 28, 2020). Sophos. “Hacks for sale: inside the Buer Loader malware-as-a-service.”
[Accessed on Oct. 25, 2021, at https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-](https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/)
[loader-malware-as-a-service/.](https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/)

7 Kelsey Merriman, Bryan Campbell, Selena Larson, and the Proofpoint Threat research team. (May 3,
2021). Proofpoint. “New Variant of Buer Loader Written in Rust.” Accessed on Oct. 25, 2021, at
[https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust.](https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust)

8 Val Saengphaibul and Fred Gutierrez. (July 19, 2021). Fortinet. “Signed, Sealed, and Delivered – Signed
XLL File Delivers Buer Loader.” Accessed on Oct. 25, 2021, at [https://www.fortinet.com/blog/threat-](https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader)
[research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader.](https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader)

9 Kelsey Merriman, Dennis Schwarz, Kafeince, and Axel F. (Dec. 4, 2019). Proofpoint. “Buer, a new loader
emerges in the underground marketplace.” Accessed on Oct. 14, 2021, at
[https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace.](https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace)

10 Kelsey Merriman, Dennis Schwarz, Kafeince, and Axel F. (Dec. 4, 2019). Proofpoint. “Buer, a new loader
emerges in the underground marketplace.” Accessed on Oct. 14, 2021, at
[https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace.](https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace)

11 Kelsey Merriman, Dennis Schwarz, Kafeince, and Axel F. (Dec. 4, 2019). Proofpoint. “Buer, a new loader
emerges in the underground marketplace.” Accessed on Oct. 14, 2021, at
[https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace.](https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace)

12 Kelsey Merriman, Dennis Schwarz, Kafeince, and Axel F. (Dec. 4, 2019). Proofpoint. “Buer, a new loader
emerges in the underground marketplace.” Accessed on Oct. 14, 2021, at
[https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace.](https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace)

13 Kelsey Merriman, Bryan Campbell, Selena Larson, and the Proofpoint Threat research team. (May 3,
2021). _Proofpoint. “New Variant of Buer Loader Written in Rust.” Accessed on Oct. 25, 2021, at_
[https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust.](https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust)


-----