In September, Sophos discovered Buer as the root cause of a Ryuk ransomware attack, with the malware delivered via Google Docs and requiring the victim to enable scripted content in order to work. In this respect, Buer mimics Emotet and other loader malware variants.
Buer uses a stolen certificate issued by a Polish software developer in order to evade detection and checks for the presence of a debugger to ensure forensic analysis can be avoided.
