Recent Windows zero-day used by Buhtrap gang for cyber-espionage

Old school cybercrime-focused hacker group returns with cyber-espionage campaign.
Written by Catalin Cimpanu, Contributor

An obscure hacker group known as Buhtrap is actually behind a recent Windows OS zero-day vulnerability that was exploited in the wild.

Slovak antivirus maker ESET, the company who discovered the ongoing attacks, said the zero-day was being used to conduct cyber-espionage.

Microsoft patched the zero-day (CVE-2019-1132) this week, in this month's Patch Tuesday updates train.

But what stands out in this discovery is the name Buhtrap itself. The group isn't your regular state-sponsored hacker outfit, like more well-known names such as Turla, Fancy Bears, APT33, or the Equation Group.

The group is rarely seen and is usually involved in targeting financial institutions to steal money.

A short history of Buhtrap

Buhtrap was first seen on the cyber-crime landscape in 2014 when they started like most cyber-crime groups by targeting Russian businesses, according to an ESET 2015 report.

As the group gained experience, they also gained in brazenness, and they slowly started going after more well-protected targets like Russian banks, according to a report published by Symantec.

A report from Group-IB claims the group was incredibly successful during this stage of their evolution, managing to steal over $25 million from at least 13 Russian banks, between August 2015 and February 2016.

Buhtrap timeline
Image: ESET

But success didn't last for long, and the group's operations were seriously crippled in February 2016, when the source code of their eponymously named Buhtrap backdoor was leaked online.

Since then, the malware has been used by multiple groups, in a much wider array of operations, targeting more than banks, such as being used to spread ransomware after the hack of a major online advertiser.

But in a report shared with ZDNet today, ESET researchers said they've seen the group shift tactics since way back in December 2015, when the original group also began targeting government agencies and institutions.

"It is always difficult to attribute a campaign to a particular actor when their tools' source code is freely available on the web. However, as the shift in targets occurred before the source code leak, we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions," ESET said.

"Although new tools have been added to their arsenal and updates applied to older ones, the tactics, techniques and procedures (TTPs) used in the different Buhtrap campaigns have not changed dramatically over all these years," researchers said.

Buhtrap never used a zero-day before

ESET's recent discovery of Buhtrap deploying a Windows zero-day also marks the first time the group deployed any zero-day for their attacks.

Previously, Buhtrap operators used former zero-days, which had been developed by other hacker groups, and long-patched by the time they got their hands on the exploits.

This is the first time Buhtrap operators used an unpatched vulnerability -- an actual zero-day.

But other questions now come to mind. For example, how did the group get their hands on a zero-day? This is still a mystery that needs to be cracked. It's unclear if they developed it themselves or bought it from an exploit broker.

At least two highly regarded security researchers believe the zero-day was most likely acquired.

Costin Raiu of Kaspersky believes the zero-day sounds like the typical "elevation of privilege" vulnerability sold by an exploit broker known as Volodya, who has sold zero-days in the past, to both cybercrime and nation-state groups.

Tavis Ormandy of Google Project Zero also shares a similar opinion, although he doesn't attribute the zero-day to any particular exploit broker.

As for the targets of this most recent Buhtrap cyber-espionage, ESET did not say. However, Buhtrap had previously been involved in cyber-espionage operations against the governments of countries located in Eastern Europe and Central Asia -- the classic hunting grounds of Russian state-sponsored hackers.

Since Buhtrap is believed to be operating out of Russia, it's easy to come up with all sorts of unsubstantiated theories like "the Russian intelligence service recruited Buhtrap to spy for them to turn a blind eye to their past hacks of Russian banks." Such theories about Buhtrap are currently not supported by any evidence, but the Russian intelligence apparatus has recruited hackers to do their dirty work before -- see 2014 Yahoo hack or this CBS 60 Minutes episode from April 2019.

The world's most famous and dangerous APT (state-developed) malware

Related malware and cybercrime coverage:

Editorial standards