11 July 2019

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The Buhtrap cybercriminal group has returned with a new campaign exploiting a zero-day vulnerability in Windows to conduct cyber-espionage operations. The flaw in question is the local privilege escalation vulnerability in Microsoft Windows (SB2019070905 - CVE-2019-1132), specifically a NULL pointer dereference in the win32k.sys component. A fix for the bug, which affects Windows 7, Windows Server 2008, and 2008 R2, was released this week as part of July’s Patch Tuesday security updates.

The ongoing attacks were discovered by researchers from ESET, who today have released a report detailing their findings. The Buhtrap cybergang is mainly known for its hacking campaigns against financial institutions and businesses in Russia, but in 2015 the previously pure criminal group perpetrating cybercrime with a goal of stealing money has switched its focus and expanded its arsenal with malware used to conduct espionage in Eastern Europe and Central Asia. The list of its targets included government agencies and institutions.

While in previous campaigns the group have been using former zero days exploits developed by other hackers, the recent attacks mark the first time the Buhtrap operators used an actual zero day. The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects, a technique that has been used for several vulnerabilities in recent years, explained the researchers in another blog post containing detailed technical analysis of the vulnerability and exploitation process.

The Buhtrap group first appeared on the treat landscape in 2014, when it began targeting Russian businesses with custom malware. As the group gained experience, it grew bolder and refocused its aim on well-protected targets like Russian banks and financial institutions. However, the group's operations were disrupted in February 2016, when the source code of their eponymously named Buhtrap backdoor was leaked online.

“It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in targets occurred before the source code leak, we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions,” said the researchers.

According to ESET, while the hackers updated their toolkit with the new malware, the tactics, techniques and procedures (TTPs) used in the different Buhtrap campaigns in the past have not changed dramatically over the years. The group still uses NSIS installers as means for downloading the Buhtrap backdoor, which are delivered to victims in the form of malicious documents. Also, several of their tools are signed with valid code-signing certificates and abuse a known, legitimate application to side-load their malicious payloads.

Recently the researchers have discovered a new variant of NSIS installer that differs from earlier versions used by the Buhtrap group. It is much simpler and serves to achieve the persistence and launch two malicious modules embedded within it. The first module is a password stealer that harvest passwords from mail clients, browsers, etc., and sends them to an attacker-controlled server. The second one is an NSIS installer with a legitimate application used to side load the Buhtrap main backdoor. 

ESET did not reveal the targets of the recent Buhtrap cyber-espionage campaign. Also, it is unclear how exactly the hackers managed to get their hands on zero day, but researchers speculate that Buhtrap operators may have acquired the exploit through exploit brokers or people, who “might be selling their old exploit inventory cheap” seeing as Microsoft’s support for Windows 7, Windows Server 2008, and 2008 R2 nears its sunset.

Back to the list

Latest Posts

North Korean hackers adopt a new technique to infect macOS machines

North Korean hackers adopt a new technique to infect macOS machines

The found sample appears to be the Lazarus group's first in-memory malware targeting the Apple operating system.
6 December 2019
New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

The ZeroCleare malware bears some similarity with the infamous Shamoon wiper.
5 December 2019
TrickBot operators set their sights on Japanese banks ahead of holiday season

TrickBot operators set their sights on Japanese banks ahead of holiday season

While the TrickBot malware has been spotted in other regions, this marks the first time TrickBot has been seen at Japanese banks.
4 December 2019