Buhtrap metamorphosis: From cybercrime to cyberespionage

Anton Cherepanov, Jean-Ian Boutin/ESET

ESET researchers were among the first to identify and describe a stealthy and financially motivated malicious campaign targeting Russian companies. At the time of discovery, we coined the name Buhtrap for the malware used in these campaigns.

Over the past several years, we have closely monitored this group’s evolution from early baby steps to becoming a major cybercriminal player. At the beginning, the Buhtrap group was targeting accounting departments of Russian businesses; then the group focus shifted to financial institutions themselves. In 2015 the Buhtrap malware was distributed using a supply-chain attack on the official AMMYY website, targeting its users.

At the peak of its criminal activity, this group caused significant losses to financial institutions; according to Group-IB, the people behind Buhtrap managed to steal US$25 million from Russian banks.

TAfter that, we saw an unexpected transformation in the Buhtrap group’s interests from pure cybercrime to cyberespionage. While the group used similar malware and techniques very close to the original Buhtrap group, we observed that their focus shift to countries other than Russia. Further, the Buhtrap group started to target governmental entities.

In 2019 we detected the Buhtrap group using a zero-day local privilege escalation vulnerability (CVE-2019-1132) in Eastern Europe and attempts to deploy the malware in Central Asia.

In this talk we will follow the breadcrumbs to figure out what the Buhtrap beast has finally become.

November 8 at 10:00 - 10:30, Stage A

Anton Cherepanov Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including BlackHat USA, Virus Bulletin, CARO Workshop. His interests focus on reverse engineering and malware analysis automation.

Jean-Ian Boutin Jean-Ian Boutin is leading the Threat Research department at ESET. Boutin investigates trends in malware, reverse-engineers binaries and finds effective techniques to counter new threats. He has presented at several security conferences, including Black Hat, REcon, BlueHat, Virus Bulletin and ZeroNights.