11 July 2019

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The Buhtrap cybercriminal group has returned with a new campaign exploiting a zero-day vulnerability in Windows to conduct cyber-espionage operations. The flaw in question is the local privilege escalation vulnerability in Microsoft Windows (SB2019070905 - CVE-2019-1132), specifically a NULL pointer dereference in the win32k.sys component. A fix for the bug, which affects Windows 7, Windows Server 2008, and 2008 R2, was released this week as part of July’s Patch Tuesday security updates.

The ongoing attacks were discovered by researchers from ESET, who today have released a report detailing their findings. The Buhtrap cybergang is mainly known for its hacking campaigns against financial institutions and businesses in Russia, but in 2015 the previously pure criminal group perpetrating cybercrime with a goal of stealing money has switched its focus and expanded its arsenal with malware used to conduct espionage in Eastern Europe and Central Asia. The list of its targets included government agencies and institutions.

While in previous campaigns the group have been using former zero days exploits developed by other hackers, the recent attacks mark the first time the Buhtrap operators used an actual zero day. The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects, a technique that has been used for several vulnerabilities in recent years, explained the researchers in another blog post containing detailed technical analysis of the vulnerability and exploitation process.

The Buhtrap group first appeared on the treat landscape in 2014, when it began targeting Russian businesses with custom malware. As the group gained experience, it grew bolder and refocused its aim on well-protected targets like Russian banks and financial institutions. However, the group's operations were disrupted in February 2016, when the source code of their eponymously named Buhtrap backdoor was leaked online.

“It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in targets occurred before the source code leak, we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions,” said the researchers.

According to ESET, while the hackers updated their toolkit with the new malware, the tactics, techniques and procedures (TTPs) used in the different Buhtrap campaigns in the past have not changed dramatically over the years. The group still uses NSIS installers as means for downloading the Buhtrap backdoor, which are delivered to victims in the form of malicious documents. Also, several of their tools are signed with valid code-signing certificates and abuse a known, legitimate application to side-load their malicious payloads.

Recently the researchers have discovered a new variant of NSIS installer that differs from earlier versions used by the Buhtrap group. It is much simpler and serves to achieve the persistence and launch two malicious modules embedded within it. The first module is a password stealer that harvest passwords from mail clients, browsers, etc., and sends them to an attacker-controlled server. The second one is an NSIS installer with a legitimate application used to side load the Buhtrap main backdoor. 

ESET did not reveal the targets of the recent Buhtrap cyber-espionage campaign. Also, it is unclear how exactly the hackers managed to get their hands on zero day, but researchers speculate that Buhtrap operators may have acquired the exploit through exploit brokers or people, who “might be selling their old exploit inventory cheap” seeing as Microsoft’s support for Windows 7, Windows Server 2008, and 2008 R2 nears its sunset.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019