List price $ 400! Discover the downloadable Trojan virus "Buer" on the Dark Web

Cyber ​​security company Proofpoint recently published a statement that a new downloadable Trojan virus called "Buer" has grown to a level comparable to its older predecessor "Smoke Loader" and has accumulated in the dark web market. A large number of loyal fans.

Darknet Advertising and Features Overview

It is said that Proofpoint originally found Buer on August 28 this year. At the time, it was mainly used by some attackers to download and run Dreambot (a variant of the banking Trojan Ursnif).

 Figure 1. Example of Microsoft Word attachment with Buer

After searching on the dark web, Proofpoint quickly discovered Buer's sales ads.

Buer is priced at $ 400, and includes installation services, which means that you only need to pay for it. It is up to the seller to install Buer on the target computer and ensure normal operation.

Not only that, the seller also said that subsequent updates and BIG repairs are all free, but the "new address" requires a $ 25 surcharge.

Figure 2. Buer's sales advertisement

 The advertisement also listed Buer's control panel functions, and pointed out that the modular Bot was written entirely in C and used a control panel written in .NET Core.

All in all, the seller wants to emphasize that due to the choice of programming language, both the client and server of Buer have higher performance.

Figure 3. The login page of the Buer control panel

According to the description, the total size of the Buer client is between 55 and 60KB, which can be run in memory as a Windows executable file and a dynamic link library, and is compatible with both 32-bit and 64-bit Windows operating systems.

It is worth mentioning that the virus is set to not run on computers in CIS countries (formerly Soviet Union countries, such as Russia).

As mentioned above, since the control panel is written in .NET Core, it can be easily installed on Ubuntu / Debian Linux systems.

The control panel provides a large amount of statistical information, including the number of online / active / offline / total infected hosts, real-time updates of the infected host list, file download counters, and also supports pairs of operating system types, access permissions, and logical CPU cores Screening for infected hosts.

Figure 4. Infected host statistics page of Buer dashboard



Figure 5. Filter display page of the Buer control panel (filter by "Microsoft Windows")



Figure 6. Task creation page of Buer dashboard

To be continue in my next blog, I will show you: Malware analysis and Command and Control (C & C)