BuerLoader is a stealthy implant, which is frequently used by attackers as an initial foothold in organizations. The malware’s common method of infection is by phishing mails, which contain a google docs link with the malicious loader. In our case we have seen the attacker using the invoice payment platform AvidXchange, thus adding another layer of reliability to the mail.

The malware uses a couple of evasive techniques to avoid both sandboxed execution and infecting endpoints in a former Soviet Union state.

First it will use the native function NtQueryDefaultLocale to determine the locale of the machine, and exit if the machine belongs to any of the former CIS countries:

It will then check the size of the machine disk using the windows API function GetDiskFreeSpaceExA, terminating if the total number of free GBs is less than 50 or the total size of the device is less than 120 GBs.

The disk size check in the Buer’s code:

Minerva prevents BuerLoader with our Hostile Environment Simulation module, using the malware’s code against it.

The event generated by the malware, as seen in Minerva’s platform:





DNS Names: