Buhtrap Uses Recently Patched Zero-Day

Delaware, USA – July 11, 2019 – Disappeared a few years ago Buhtrap group get spotted using unpatched zero-day in a cyber espionage campaign targeted at governmental institutions. The group began operations in 2014 with financially motivated attacks against businesses and banks, and their activities remained below the radar of researchers until next year. At the end of 2015, they conducted the first cyber espionage campaign using a custom backdoor, which targeted government organizations in Eastern Europe and Central Asia. Then in February of the following year, the source code of the primary tool of the group was leaked, and it became difficult to attribute espionage campaigns to threat actors using Buhtrap backdoor. Researchers at ESET continued to track the group’s activity and discovered that in the last month, the group started to exploit the unpatched zero-day vulnerability, a security update for which was released only this Tuesday (CVE-2019-1132). Experts believe that the adversaries acquired exploit from one of the brokers, as previously the group exploited only well-known vulnerabilities.

Another important change in group actions is the use of additional tools in campaigns. One of the malicious documents contained a macro that loaded the standalone password stealer, which collects credentials and then uses the standard Windows APIs to send stolen info to the command-and-control server. Also, macro installed free AVZ tool and abused it to side load the backdoor. Another document contained a macro that changes the firewall settings and installs the Metasploit’s Meterpreter, which communicates with C&C infrastructure via DNS tunneling. To detect the activity of Meterpreter, you can use the Possible Process Injection technique rule available in Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/1351/