Operation Buhtrap: New Spyware is targeting Russian Banking Sector

ESET has discovered a new hacking campaign dubbed Operation Buhtrap based on a family of spyware targeting vulnerabilities within the Russian Windows System.

Late in 2014 analysts at ESET uncovered CVE-2012-0158, a buffer overflow vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library.  This particular malicious code can be activated by a specially modified DOC or RTF file for MS Office versions 2003, 2007 and 2010.  Even though this vulnerability was patched by Microsoft more than a year ago, it seems that cybercriminals have managed to find unpatched Russian Windows systems within the banking sector and exploited them.

“The tools deployed on the victim’s computer allow them to control it remotely and to record the user’s actions. The malware allows the criminals to install a backdoor, attempt to obtain the account password and even create a new account” -JEAN-IAN BOUTIN

ESET has dubbed the malware campaign Operation Buhtrap, a conjunction of the Russian word for accountant “Buhgalter” and the English word “trap”.  So far Buhtrap has not been seen anywhere else in the wild, so is not likely to be widespread.  So far approx. 88 per cent of targets have been in Russia and ten per cent in Ukraine.   Analysts have also likened the campaign to the Anunak/Carbanak campaign, which also targeted Russian and Ukrainian Banks.

“Although we believe it to be a different campaign, it shares some similarities with Anunak/Carbanak in terms of techniques, tactics and procedures it use.”

The modus operandi of these particular cybercriminals is usually associated with targeted attacks rather than cyber fraud, which make this move to financial crime unusual.  Their method of delivery is by email using an attached invoice document: “Счет № 522375-ФЛОРЛ-14-115.doc” as the attack mechanism.

A second decoy email used by the cybercriminals invites users to open a hoax contract “kontrakt87.doc”.  This email purports to be from the fourth largest telecom operator in Russia, Megafon, giving the attachment a false sense of credibility.

Once the attachment has been opened the payload drops and executes a NSIS-packed trojan downloader.  The cybercriminals command and control (C&C) server will then scan their environment and propagate the trojan in order to compromise other computers in the business. A further custom-made spyware that abuses Yandex’s Punto software carries out the spying and will relay information back to the C&C to see if it’s feasible to fraudulently divert funds.

“While the tools and software used in this campaign are far from being novel, the overall campaign is quite interesting and intriguing: it diverges quite a bit from the traditional banking malware with which we are familiar”.

Cybercrime in Russia in many ways is an old battle fought with new malware accessing “vulnerable” targets and permitting quick and unencumbered access and a profitable exit for the cybercriminals.  It is currently not know how much money the cybercriminals have managed to steal nor do we know who was targeted, but we are sure that future analysis will provide more clues!

About the Author Kevin Gorman