The Buhtrap cybercriminal group has returned with a new campaign exploiting a zero-day vulnerability in Windows to conduct cyber-espionage operations. The flaw in question is the local privilege escalation vulnerability in Microsoft Windows (SB2019070905 - CVE-2019-1132), specifically a NULL pointer dereference in the win32k.sys component. A fix for the bug, which affects Windows 7, Windows Server 2008, and 2008 R2, was released this week as part of July’s Patch Tuesday security updates.
The ongoing attacks were discovered by researchers from ESET, who today have released a report detailing their findings. The Buhtrap cybergang is mainly known for its hacking campaigns against financial institutions and businesses in Russia, but in 2015 the previously pure criminal group perpetrating cybercrime with a goal of stealing money has switched its focus and expanded its arsenal with malware used to conduct espionage in Eastern Europe and Central Asia. The list of its targets included government agencies and institutions.
While in previous campaigns the group have been using former zero days exploits developed by other hackers, the recent attacks mark the first time the Buhtrap operators used an actual zero day. The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects, a technique that has been used for several vulnerabilities in recent years, explained the researchers in another blog post containing detailed technical analysis of the vulnerability and exploitation process.
The Buhtrap group first appeared on the treat landscape in 2014, when it began targeting Russian businesses with custom malware. As the group gained experience, it grew bolder and refocused its aim on well-protected targets like Russian banks and financial institutions. However, the group's operations were disrupted in February 2016, when the source code of their eponymously named Buhtrap backdoor was leaked online.
“It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in targets occurred before the source code leak, we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions,” said the researchers.
According to ESET, while the hackers updated their toolkit with the new malware, the tactics, techniques and procedures (TTPs) used in the different Buhtrap campaigns in the past have not changed dramatically over the years. The group still uses NSIS installers as means for downloading the Buhtrap backdoor, which are delivered to victims in the form of malicious documents. Also, several of their tools are signed with valid code-signing certificates and abuse a known, legitimate application to side-load their malicious payloads.
Recently the researchers have discovered a new variant of NSIS installer that differs from earlier versions used by the Buhtrap group. It is much simpler and serves to achieve the persistence and launch two malicious modules embedded within it. The first module is a password stealer that harvest passwords from mail clients, browsers, etc., and sends them to an attacker-controlled server. The second one is an NSIS installer with a legitimate application used to side load the Buhtrap main backdoor.
ESET did not reveal the targets of the recent Buhtrap cyber-espionage campaign. Also, it is unclear how exactly the hackers managed to get their hands on zero day, but researchers speculate that Buhtrap operators may have acquired the exploit through exploit brokers or people, who “might be selling their old exploit inventory cheap” seeing as Microsoft’s support for Windows 7, Windows Server 2008, and 2008 R2 nears its sunset.