VERY IMPORTANT

A year after its debut, Buer's modular loader rises as an alternative to Emotet and TrickBot's Bazar. During Sophos Lab's investigation of a Ryuk attack in September 2020, we found the Ryuk actors had used a relatively new method for gaining initial access: a malware dropper called Buer. The September attack was part of a low-volume spear phishing attack tracked by Sophos. Over the next month, it evolved into a much larger spam campaign, carrying Buer as well as a number of other types of "loader" malware, as the Ryuk operators sought to ramp up their attacks.