New research: Infamous Buhtrap group behind highly targeted zero-day attack, ESET discovers


ESET researchers have reported a zero-day exploit deployed in a highly targeted attack in Eastern Europe. The exploit used a local privilege escalation vulnerability in Microsoft Windows. ESET’s researchers have now been able to identify the perpetrators, the infamous Buhtrap APT and cybercriminal group, which focuses on espionage operations in Eastern Europe and Central Asia. For the first time, ESET has witnessed the group using a zero-day attack as part of a campaign.

The Buhtrap group is well known for its targeting of financial institutions as well as businesses in Russia. However, since late 2015, ESET has witnessed an interesting change to the profile of the group’s traditional targets. Evolving from a pure criminal group perpetrating cybercrime for financial gain, its toolset has been expanded with malware used to conduct espionage.

Jean-Ian Boutin, a leading researcher at ESET, said, “It’s always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in target occurred before the source code leaked, ESET assessed with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in the targeting of governmental institutions. It’s unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward.”

ESET research shows that, although new tools were added to the group’s arsenal and updates were applied to old ones, the tactics, techniques, and procedures used in the different Buhtrap campaigns have not changed drastically over the passing years. The documents employed to deliver the malicious payloads often come with benign decoy documents to avoid raising suspicions if the victim opens them. The analysis of these decoy documents provides clues to researchers about who the targets might be. The tools used in the espionage campaigns were very similar to the ones used against businesses and financial institutions.

With regard to this specific campaign, the malware contained a password stealer, which tried to harvest passwords from mail clients, browsers, etc. and send them to a command and control server. The malware granted its operators full access to the compromised system as well.

ESET reported the exploit to the Microsoft Security Response Center, which fixed the vulnerability and released a patch.

For more details about Buhtrap and its latest campaign, read Buhtrap group uses zero-day in espionage campaigns on