Threat Hunting Content to Spot Traces of Buer Loader

New community rule by Ariel Millahuel that enables detection of Buer loader is available on Threat Detection Marketplace:

Buer is a modular loader that was first spotted at the end of last summer and since then this malware has been actively promoted on the underground marketplaces. Proofpoint researchers tracked multiple campaigns spreading Buer loader, it was spread by phishing emails with malicious attachments and exploit kits. The malware is written in C, runs entirely in resident memory, and can infect both 32-bit and 64-bit Windows systems. The Buer loader communicates over HTTPS, and is quite popular due to its anti-analysis capabilities. The malware capabilities are similar to Smoke Loader that was mentioned in our past Rule Digest:

Ariel Millahuel is the author of around 200 exclusive and community Sigma rules. He joined the Threat Bounty Program in the fall of 2019 and since then, he has been actively involved in community development. The interview with Ariel is published on our website:

Threat Detection is supported for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint

EDR: Carbon Black, Elastic Endpoint


Tactics: Persistence

Techniques: Registry Run Keys / Startup Folder (Е1060), Winlogon Helper DLL (Е1004)

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko