Threat Hunting Content to Spot Traces of Buer Loader

New community rule by Ariel Millahuel that enables detection of Buer loader is available on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/5F93tXFdZmx9/

Buer is a modular loader that was first spotted at the end of last summer and since then this malware has been actively promoted on the underground marketplaces. Proofpoint researchers tracked multiple campaigns spreading Buer loader, it was spread by phishing emails with malicious attachments and exploit kits. The malware is written in C, runs entirely in resident memory, and can infect both 32-bit and 64-bit Windows systems. The Buer loader communicates over HTTPS, and is quite popular due to its anti-analysis capabilities. The malware capabilities are similar to Smoke Loader that was mentioned in our past Rule Digest: https://socprime.com/blog/rule-digest-fresh-content-to-detect-trojans-and-ransomware/

Ariel Millahuel is the author of around 200 exclusive and community Sigma rules. He joined the Threat Bounty Program in the fall of 2019 and since then, he has been actively involved in community development. The interview with Ariel is published on our website: https://socprime.com/blog/interview-with-developer-ariel-millahuel/

Threat Detection is supported for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK:

Tactics: Persistence

Techniques: Registry Run Keys / Startup Folder (Е1060), Winlogon Helper DLL (Е1004)