{
	"id": "1dfc62b6-8ddf-4487-a168-7b90c9cd6d22",
	"created_at": "2026-04-06T00:09:24.949128Z",
	"updated_at": "2026-04-10T13:11:19.541807Z",
	"deleted_at": null,
	"sha1_hash": "eca4318080eab4350b2034574bd4b66576cf243f",
	"title": "Buer, a new loader emerges in the underground marketplace | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3523600,
	"plain_text": "Buer, a new loader emerges in the underground marketplace | Proofpoint\r\nUS\r\nBy Kelsey Merriman | Dennis Schwarz | Kafeine | Axel F | Proofpoint Threat Insight Team\r\nPublished: 2019-12-04 · Archived: 2026-04-05 12:34:44 UTC\r\nOverview\r\nFor several years, Proofpoint researchers have been tracking the use of first-stage downloaders, which are used by threat\r\nactors to install other forms of malware during and after their malicious email campaigns. In particular, over the last two\r\nyears, these downloaders have become increasingly robust, providing advanced profiling and targeting capabilities.\r\nMore importantly, downloaders and other malware like botnets and banking Trojans have displaced ransomware as primary\r\npayloads, giving threat actors the flexibility to deploy a range of malware in secondary infections. For example, one of the\r\nmost prevalent, Smoke Loader, has been used extensively to drop payloads such as Ursnif and The Trick banking Trojans, as\r\nwell as using its own modules for credential and other information and data-stealing, among other malicious functions.\r\nSince late August 2019, Proofpoint researchers have been tracking the development and sale of a new modular loader named\r\nBuer by its authors. Buer has features that are highly competitive with Smoke Loader, is being actively sold in prominent\r\nunderground marketplaces, and is intended for use actors seeking a turn-key, off-the-shelf solution.\r\nCampaigns\r\nAugust 28, 2019\r\nOn August 28, Proofpoint researchers observed malicious email messages that appear to reply to earlier legitimate email\r\nconversations. They contained Microsoft Word attachments that use Microsoft Office macros to download the next stage\r\npayload.\r\nFigure 1: Example Microsoft Word attachment used in the August 28, 2019, campaign\r\nWe observed the next-stage payload being downloaded from URLs including:\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 1 of 15\n\nhxxp://jf8df87sdfd.yesteryearrestorations[.]net/gate.php\r\nhxxp://93345fdd.libertycolegios[.]com/gate.php\r\nThe dropped payload was named verinstere222.xls or verinstere33.exe (a naming convention that the actor used during\r\nthat period). Instead of the Dreambot variant of Ursnif frequently associated with this actor, the payload was an\r\nundocumented loader not previously observed in the wild.\r\nIn the following weeks over September and October, Proofpoint researchers and other members of the infosec community\r\n[1] observed several campaigns from the same actor dropping either the Dreambot variant of Ursnif or this new loader.\r\nOctober 10, 2019\r\nOn October 10, Proofpoint researchers observed a malvertising campaign in Australia redirecting to the Fallout Exploit Kit\r\n(EK) dropping the new loader.\r\nFigure 2: HTTP network traffic trace with the Fallout EK exploiting vulnerable browsers\r\nThe loader then dropped several second-stage malware payloads including KPOT stealer, Amadey, and Smoke Loader.\r\nOctober 21, 2019\r\nSince the beginning of July, Proofpoint researchers observed approximately 100 campaigns involving Ostap [2] almost\r\nexclusively loading several instances of The Trick. On the 21, however, Proofpoint researchers observed malicious email\r\nmessages with subject lines such as “Penalty Notice # PKJWVBP” containing Microsoft Word attachments. The\r\ndocuments contained macros that, if enabled, would execute Ostap. We observed Ostap downloading this loader from\r\nhxxps://185.130.104[.]187/nana/kum.php?pi=18b\u0026[redacted]\r\nwhich in turn loaded The Trick “ono22” from its C\u0026C: garrisontx[.]us\r\nFigure 3: Network traffic observed once the macro in the malicious documents is enabled.\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 2 of 15\n\nFigure 4: Example Microsoft Word attachment used in the October 21 campaign\r\nMarketplace \u0026 Feature Analysis\r\nBecause we began observing this new loader in use in multiple, distinct campaigns, we expected that it was being sold in an\r\nunderground marketplace to multiple actors. Moreover, we discovered an advertisement from August 16 on an underground\r\nforum describing a loader named “Buer” that matched the functionality of the malware observed in the above campaigns.\r\nThe features added and advertised in the following weeks match exactly with the evolution of the loader found in these\r\ncampaigns.\r\nWe retrieved text from a bulletin board posting by the author, in Russian, requesting a payment of $400 for the malware, and\r\noffering their services to set up the software for prospective customers in order to get it up and running. The author also\r\nnotes that updates and bug fixes are free of charge, but there is a $25 surcharge for “rebuilding to new addresses.”\r\nThe following text, which Proofpoint also extracted from the underground marketplace, and is presumed to be written by the\r\nauthor of the malware, is a summary of the functionality of the loader as described in the original Russian:\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 3 of 15\n\nFigure 5. Text from underground forum post describing Buer Loader bot functionality\r\nSimilarly, the advertisement also lists control panel functionality. The author notes that the modular bot is written entirely in\r\nC, using a control panel written in .NET Core, emphasizing higher performance in both the client and server due to the\r\nchoice of programming language.\r\nAs per the description, the bot has a total payload of 55 to 60 kilobytes, functions as a native Windows executable\r\nand dynamic link library, runs entirely in resident memory, and is compatible with 32-bit and 64-bit Microsoft\r\nWindows operating systems.\r\nThe bot communicates over an HTTPS connection and can be updated remotely from the control panel after the\r\ndecrypt as well as the rebuild.\r\nThe author also notes that the loader runs as a surrogate process of a trusted application, and functions using User\r\nlevel privileges.\r\nMost notably, the software will not run in the CIS (former Soviet states, such as Russia).\r\nThe ad describes the following features for the server and control panel:\r\nThe control panel is advertised as also being written in .NET Core, noting easy installation on Ubuntu / Debian Linux\r\nserver systems.\r\nThe server provides a wide range of statistics, including counters for online, living, dead, and total bots; a real-time\r\nupdate for the list of bots; a file download counter; and an ability to filter systems by type of operating system, access\r\nrights of installed bots, and number of logical CPU cores.\r\nDownloaded files from the infected systems are stored in encrypted form on the server, with access granted by a\r\ntoken.\r\nMost importantly, like the bots themselves, the author notes that the server does not process API requests sent from\r\nwithin CIS-member countries.\r\nThe forum post also included technical release notes for the Buer loader and control panel (version 1.1.2). In the\r\nintroduction, the author noted that launching the loader now consists of three steps -- if the first two steps are unsuccessful\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 4 of 15\n\non the infected system, and the injection into the surrogate process fails (for example, due to incompatibility with the crypt\r\nitself), the loader will execute under its own process instead.\r\nThe release notes call out the following for the loader:\r\nThe loader uses a FastFlux architecture.\r\nThe loader works from under a trusted process within Microsoft Windows. The MemLoadEx process now supports\r\nx64 [.]exe as a trusted application.\r\nMemLoad has been updated and now supports native x32 [.]exe.\r\nThe release notes call out the following features for the control panel:\r\nAPI access is accomplished using HTTPS with support for self--signed certificates.\r\nSupport for editing tasks in the panel. The user can stop the task during execution and change the payload and the\r\nnumber of executions.\r\nAdded the ability to create a task by bot ID. Very suitable for point loads.\r\nA step-by-step window for creating tasks.\r\nA notification that allows you to learn about the necessary bots online.\r\nThe uniqueness of the bot ID has been increased.\r\nTags have been added to the panel, allowing sorting bots for subsequent actions with them.\r\nDisplays the computer name in the table.\r\nImproved crypto compatibility.\r\nAdded bot history.\r\n“The panel now expands to Docker” (Docker container support).\r\nProofpoint Researcher Note: We presume this feature is for ease of integration into leased Docker hosts,\r\nsimplifying installation, although potentially the panel/C\u0026C could be installed on a compromised Docker\r\nhost.\r\nValidation on the file on the panel. Now the panel will not miss the file that the loader will not be able to download\r\nand will notify the client about this.\r\nTasks can now be repeated.\r\nFinally, the author described the following technical changes for version 1.1.9. These are noteworthy as they demonstrate\r\nthat the malware is under active, professional development.\r\nThe loader has acquired a new method for launching External for local files. The advantages of the method are\r\nuniqueness and no CreateProcess / ShellExecute through the loader. The launch produces a trusted process without\r\nany commands to it.\r\nThe panel has the ability to tag all bots that have performed a specific task. This will allow the user to distribute the\r\npayload to certain groups of bots.\r\nImplemented integration API. Available documentation for it.\r\nAdded the ability to send a file by reference in proxy mode. The file is transferred to the bot in encrypted form.\r\nThe bug of counting bots by country has been fixed and other improvements have been added.\r\nControl Panel Screenshots\r\nThe following control panel screenshots were included in the underground advertisement, showing some of the back end\r\ncapabilities available to customers, including telemetry monitoring, host filtering, and more.\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 5 of 15\n\nFigure 6: Control panel login UX for the Buer Loader C\u0026C\r\nFigure 7: Bot telemetry monitoring screen for the Buer control panel.\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 6 of 15\n\nFigure 8: Dark mode bot telemetry monitoring screen for the Buer control panel.\r\nFigure 9: Control panel filter view depicting remote bots filtered by Microsoft Windows architecture.\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 7 of 15\n\nFigure 10: Control panel view depicting file management for loader tasks\r\nFigure 11: Control panel view of remote bots sorted by user rights.\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 8 of 15\n\nFigure 12: Control panel view, task status\r\nFigure 13: Control panel view, creation of a task\r\nMalware Analysis\r\nBuer Loader is a new downloader malware that downloads and executes additional payloads.\r\nAnti-analysis features\r\nThe loader contains some basic anti-analysis functionality:\r\nChecks for debuggers by inspecting the NtGlobalFlag in the Process Environment Block (PEB) and Thread\r\nEnvironment Block (TEB)\r\nChecks for virtual machines using the Red Pill [4], No Pill [5], and related mechanisms\r\nChecks locale to make sure the malware is not running in specific countries (Figure 14)\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 9 of 15\n\nFigure 14: Malware check to make sure it is not running in specific countries\r\nPersistence\r\nPersistence is set up by configuring a Registry RunOnce entry. Depending on the version, the registry entry will execute the\r\nmalware directly or schedule a task to execute it.\r\nEncrypted Strings\r\nThis sample contains a function to encrypt strings.\r\nFigure 15: Decryption sequence for strings\r\nThe following function is an example of how to decrypt the encrypted strings in Ghidra using Jython:\r\nFigure 16: Decryption sequence for strings (Python version)\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 10 of 15\n\nFigure 17: Example string decryptions\r\nWindows API Calls\r\nThis sample uses a hashing algorithm to resolve most of its Windows API calls. The hashing algorithm ensures each\r\ncharacter of the API name is a capital letter. It then rotates right (ROR) each character by 13 and adds them together.\r\nFigure 18: Hashing algorithm to resolve Windows API calls\r\nThe following function is an example of how Python can be used to help resolve the API calls.\r\nFigure 19: Example Python script used to aid in resolving hashed Windows API calls\r\nThe following table contains a list of some selected hashes used and their corresponding Windows API name:\r\nCreateMutexW 0xed619452\r\nOpenMutexW 0x7bffe25e\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 11 of 15\n\nCreateProcessW 0xb4f0f46f\r\nWinHttpOpen 0xaf7f658e\r\nWinHttpCrackUrl 0x8ef04f02\r\nWinHttpConnect 0x9f47a05e\r\nWinHttpOpenRequest 0x1dd1d38d\r\nTable 1: Windows API calls with selected hashes\r\nCommand and Control\r\nCommand and control (C\u0026C) functions are handled via HTTP(S) GET requests. An example command beacon looks like\r\nFigure 20:\r\nFigure 20: Example command beacon\r\nThese requests go to the “update API” and contain an encrypted parameter. This parameter can be decrypted by:\r\n1. Base64 decoding\r\n2. Hex decoding\r\n3. RC4 decryption (the key used in the analyzed samples was “CRYPTO_KEY”)\r\nAn example of the plaintext parameter is:\r\n88a5e68a2047fa5ebdc095a8500d8fae565a6b225ce94956e194b4a0e8a515ae|ab21d61b35a8d1dc4ffb3cc4b75094c31b8c00de3ffaaa17ce1ad15e8\r\n7|x64|4|Admin|RFEZOWGZPBYYOI\r\nIt contains pipe-delimited data consisting of:\r\nBot ID (SHA-256 hex digest of various system parameters such as hardware profile GUID and name, computer\r\nname, volume serial number, and CPUID)\r\nAn SHA-256 hash of its own executable image\r\nWindows version\r\nArchitecture type\r\nNumber of processors\r\nUser privileges\r\nComputer name\r\nAn example command beacon response is shown in Figure 21:\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 12 of 15\n\nFigure 21: Example command beacon response\r\nIt can be decrypted similarly to the request parameter above, except that the hex-encoded bytes are separated by dash\r\ncharacters. An example plaintext response is shown in  Figure 22:\r\nFigure 22: Plaintext command beacon response\r\nThe decrypted text is a JSON object containing various options on how to download and execute a payload:\r\ntype - there are two types:\r\nupdate - update self\r\ndownload_and_exec - download and execute\r\noptions - specifies options for the payload to download:\r\nHash - only applicable to “update” type to determine whether a new update is available\r\nx64 - whether the payload is 64-bit\r\nFileType - not used in analyzed samples\r\nAssemblyType - not used in analyzed samples\r\nAccessToken - used to download the payload (see below)\r\nExternal - indicates whether the payload is downloaded from the C\u0026C or an external URL\r\nmethod - method of execution:\r\nexelocal - create process\r\nmemload - inject and manually load payload\r\nmemloadex - inject and manually load payload\r\nloaddllmem - inject and manually load payload\r\nparameters - parameters to pass on the command line\r\npathToDrop - not used in analyzed samples\r\nautorun - indicates whether to setup Registry RunOnce persistence for the payload\r\nmodules - see Modules section below\r\ntimeout - not used in analyzed samples\r\nPayloads downloaded from the C\u0026C server are done via requests to the “download API” as seen in Figure 23:\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 13 of 15\n\nFigure 23: Downloading payload from C\u0026C\r\nAn example of the plaintext request parameter is shown below:\r\n88a5e68a2047fa5ebdc095a8500d8fae565a6b225ce94956e194b4a0e8a515ae|58007044-67d4-4963-9f5f-400dfbc69e74\r\nIt contains the bot’s ID and “AccessToken” from the command beacon response. If the payload is downloaded from the\r\nC\u0026C, it is encrypted with RC4. In the analyzed samples the key was “CRYPTO_KEY”.\r\nModules\r\nThe command beacon response contains a “modules” list. Proofpoint researchers have not observed Buer modules being\r\nused in the wild yet, but based on the code this list will contain module AccessTokens. The module file name is queried by\r\nsending an AccessToken to the “module API” of the C\u0026C. The module will then be downloaded using the\r\n“downloadmodule API”. Once downloaded and decrypted, it is loaded using the “loaddllmem” method.\r\nConclusion\r\nA new downloader, Buer, has appeared recently in a variety of campaigns, via malvertising leading to exploit kits; as a\r\nsecondary payload via Ostap; and as a primary payload downloading malware such as The Trick banking Trojan.\r\nThe new loader has robust geotargeting, system profiling, and anti-analysis features and is currently being marketed on\r\nunderground forums with value-added setup services. The Russian-speaking author(s) is actively developing the downloader\r\nwith sophisticated control panels and a rich feature set, making the malware competitive in underground markets.\r\nThe downloader is written in C while the control panel is written in .NET core, indicating optimization for performance and\r\nsmall download footprint, as well as the ability to easily install the control panel on Linux servers -- built-in support for\r\nDocker containers will further facilitate its proliferation on rented hosts used for malicious purposes, and potentially,\r\ncompromised hosts as well. The latter capability is included in its advertised features and release notes.\r\nReferences\r\n[1] https://twitter.com/malware_traffic/status/1182456890095259652\r\n[2] https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\n[3] https://www.proofpoint.com/us/threat-insight/post/ostap-bender-400-ways-make-population-part-with-their-money\r\n[4] https://www.aldeid.com/wiki/X86-assembly/Instructions/sidt\r\n[5] https://www.aldeid.com/wiki/X86-assembly/Instructions/sldt\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nfa699eab565f613df563ce47de5b82bde16d69c5d0c05ec9fc7f8d86ad7682ce sha256 2019-08-28\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 14 of 15\n\nhttp[://45.76.247[.177:8080/api/update/ URL\r\nBuer C\u0026C callback\r\n2019-08-28\r\n6c694df8bde06ffebb8a259bebbae8d123effd58c9dd86564f7f70307443ccd0 sha256 2019-09-03\r\n197163b6eb2114f3b565391f43b44fb8d61531a23758e35b11ef0dc44d349e90 sha256 2019-09-24\r\nhttps[://173.212.204[.171/api/update/ URL\r\nBuer C\u0026C callback\r\n2019-09-24\r\n9e8db7a722cc2fa13101a306343039e8783df66f4d1ba83ed6e1fe13eebaec73 sha256\r\n2019-10-16\r\n(Fallout Drop)\r\nhttp[://134.0.119[.53:8080/api/update/ URL\r\nBuer C\u0026C callback\r\n2019-10-16\r\nab21d61b35a8d1dc4ffb3cc4b75094c31b8c00de3ffaaa17ce1ad15e876dbd1f sha256\r\n2019-10-21\r\n(Ostap drop)\r\nhttps[://garrisontx[.us/api/update/ URL\r\nBuer C\u0026C callback\r\n2019-10-21\r\nhttps[://185.130.104[.187/nana/kum.php?pi=18b URL\r\nOstap instance dropping\r\nBuer - 2019-10-21\r\n753276c5887ba5cb818360e797b94d1306069c6871b61f60ecc0d31c78c6d31e sha256 Buer 2019-11-28\r\nffload01[.top|185.125.58[.11\r\nffload01[.top|185.186.141[.129\r\ndomain|IP Buer C\u0026C 2019-11-28\r\nET and ETPRO Suricata/Snort Signatures\r\n2029077 || ET TROJAN Buer Loader Update Request\r\n2029079 || ET TROJAN Buer Loader Response\r\n2029078 || ET TROJAN Buer Loader Download Request\r\n2839684 || ET TROJAN Buer Loader Successful Payload Download\r\n2029080 || SSL/TLS Certificate Observed (Buer Loader)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\nPage 15 of 15\n\n https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace  \nFigure 6: Control panel login UX for the Buer Loader C\u0026C\nFigure 7: Bot telemetry monitoring screen for the Buer control panel.\n   Page 6 of 15\n\n https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace  \nFigure 10: Control panel view depicting file management for loader tasks\nFigure 11: Control panel view of remote bots sorted by user rights.\n   Page 8 of 15\n\nIOC   Type Description\nfa699eab565f613df563ce47de5b82bde16d69c5d0c05ec9fc7f8d86ad7682ce   sha256 2019-08-28\n Page 14 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace"
	],
	"report_names": [
		"buer-new-loader-emerges-underground-marketplace"
	],
	"threat_actors": [],
	"ts_created_at": 1775434164,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eca4318080eab4350b2034574bd4b66576cf243f.pdf",
		"text": "https://archive.orkl.eu/eca4318080eab4350b2034574bd4b66576cf243f.txt",
		"img": "https://archive.orkl.eu/eca4318080eab4350b2034574bd4b66576cf243f.jpg"
	}
}