Author: James Barnett
From 2 to 10 February, Infoblox observed an ongoing malspam campaign delivering trojan malware known as Buer Loader. This campaign used invoice-themed lures to entice users to download and open Microsoft Excel (XLS) documents that contain malicious macros and spoof GlobalSign, a legitimate identity services company.
Buer Loader is a trojan downloader that is used to compromise a targeted system and deliver additional malicious payloads. It is sold to threat actors using a “malware-as-a-service” payment model and was first identified in August 2019 after the author advertised it on an underground hacking forum.1
The methods used to distribute Buer vary between threat actors, but it is commonly distributed via malspam. It has also been observed as a payload delivered by RIG exploit kit.2,3
The emails in this campaign used an invoice-themed lure to entice targets into opening an attached XLS document. The subject lines of the emails contained generic invoice numbers. The email bodies contained a randomized invoice template thanking the recipient for their business, listing charges for arbitrary products, and prompting the recipient to view the attached file for additional information about their alleged order. These attachments contained graphics and text that mimic the legitimate company GlobalSign.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.