As the name suggests, as a downloadable Trojan virus, Buer is able to download and execute other malware.
Inverse analysis function
Buer has some of the most basic anti-analysis functions:
Check the debugger by checking the NtGlobalFlag in the process environment block (PEB) and the thread environment block (TEB);
Use Red Pill, No Pill and related mechanisms to check virtual machines;
Check the language code to ensure that the virus will not run on computers in a particular country.

Figure 7. Hard-coded language code
Long-term Stay in Memory
Buer can achieve long-term persistence on the infected host by configuring the registry RunOnce entry-the registry key either executes the virus directly or schedules a task to execute it, depending on the version of Buer.
Command and Control (C & C)
The command and control (C & C) function is processed by the GET request of HTTP (S). The command letter is marked as shown in the figure below:

Figure 8. Command beacon example
These requests go to the "update API" and contain an encrypted parameter that can be decrypted in the following ways:
Base 64 decoding;
Hexadecimal decoding
RC4 decryption (the key used in the analysis sample is "CRYPTO_KEY").
The following is an example of clear text parameters:
88a5e68a2047fa5ebdc095a8500d8fae565a6b225ce94956e194b4a0e8a515ae | ab21d61b35a8d1dc4ffb3cc4b75094c31b8c00de3ffaaa17ce1ad15e876dbd1f | Windows 7 | x64 | 4 | AdminBYRFEZOWG
It contains data separated by "|" symbols, including:
Bot ID (SHA-256 hexadecimal summary of various system parameters, such as hardware configuration file GUID and name, computer name, volume serial number, and CPUID);
SHA-256 hash value of self-executable image;
Windows version;
system structure;
Number of processors
User rights;
Computer name.
An example of a command beacon response is shown below:

Figure 9. Example Command Beacon Response
An example of the decrypted plain text response is as follows:

Figure 10. Example of decrypted plain text response
The decrypted text is a JSON object with various options on how to download and execute the payload:
type- contains two types:
update- update itself;
download_and_exec-download and execute specific content.
options-Specifies options for the payload to download:
Hash-only applicable to "update" type to confirm the existence of new updates;
x64-whether the payload is 64-bit;
FileType- is not enabled;
AssemblyType- not enabled;
AccessToken- for downloading the payload;
External-indicates whether to download the payload from C & C or from an external URL.
method-Execute Method class:
exelocal-create process;
memload- Inject and manually load the payload;
memloadex-inject and manually load the payload;
loaddllmem-Inject and manually load the payload.
Parameters- parameters passed in the command line
pathToDrop- not enabled
autorun-indicates whether to set the registry RunOnce for the payload for long-term persistence
modules- not enabled
timeout-not enabled
Downloading the payload from the C & C server is done through a request to the "download API", as shown in the following figure:

Figure 11. Downloading payload from C & C
In Conclusion
In various recent malicious activities, the downloader Trojan virus Buer frequently appeared, and the malware used as the second stage payload included Dreambot, TrickBot, KPOT, Amadey, and Smoke Loader.
This new download Trojan virus has powerful geolocation and anti-analysis functions, and is currently being sold in the dark web market. Given the ads on the dark web market and hard-coded language codes, its developers are thought to be most likely to come from countries where the mother tongue is Russian
No comments:
Post a Comment