ESET researchers were among the first to identify and describe a stealthy and financially motivated malicious campaign targeting Russian companies. At the time of discovery, we coined the name ‘Buhtrap' for the malware used in these campaigns.
Over the past several years we have closely monitored this group's evolution from its early baby steps to becoming a major cybercriminal player. At the beginning, the Buhtrap group targeted the accounting departments of Russian businesses; then the group's focus shifted to financial institutions themselves. In 2015 the Buhtrap malware was distributed using a supply-chain attack on the official Ammyy website, targeting its users.
At the peak of its criminal activity, this group caused significant losses to financial institutions; according to Group-IB, the people behind Buhtrap managed to steal US$25 million from Russian banks.
This and other campaigns were summarized and presented in our VB2016 paper (‘Modern Attacks on Russian Financial Institutions'). After that, we saw an unexpected transformation in the Buhtrap group's interests from pure cybercrime to cyber espionage. While the group used similar malware and techniques very close to the original Buhtrap group, we observed that their focus had shifted to countries other than Russia. Further, the Buhtrap group started to target governmental entities.
In 2019 we detected the Buhtrap group using a zero-day local privilege escalation vulnerability (CVE-2019-1132) in Eastern Europe and attempts to deploy the malware in Central Asia.
In this talk we will follow the breadcrumbs to figure out what the Buhtrap beast has finally become.