ESET researchers reported a zero-day exploit deployed in a highly targeted attack in Eastern Europe. The exploit used a local privilege escalation vulnerability in Microsoft Windows.  Our researchers have now been able to identify the perpetrators – the infamous Buhtrap APT and cyber-criminal group, which focuses on espionage operations in Eastern Europe and Central Asia. For the first time, ESET has witnessed them using a zero-day attack as part of a campaign.

The Buhtrap group is well known for its targeting of financial institutions as well as businesses in Russia. However, since late 2015, we have witnessed an interesting change to the profile of the group’s traditional targets. Evolving from a pure criminal group perpetrating cybercrime for financial gain, their toolset has been expanded with malware used to conduct espionage.

“It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in target occurred before the source code leaked, we assessed with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in the targeting of governmental institutions,” says Jean-Ian Boutin, a leading researcher at ESET. “It is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” he added.

Important events in Buhtrap timeline

As ESET research shows, although new tools were added to their arsenal and updates were applied to old ones, the tactics, techniques and procedures used in the different Buhtrap campaigns have not changed drastically over the passing years. The documents employed to deliver the malicious payloads often come with benign decoy documents to avoid raising suspicions if the victim opens them. The analysis of these decoy documents provides clues to researchers about who the targets might be. The tools used in the espionage campaigns were very similar to the ones used against businesses and financial institutions.

With regard to this specific campaign, the malware contained a password stealer, which tried to harvest passwords from mail clients, browsers, etc. and send them to a command and control server. The malware granted its operators full access to the compromised system as well.

ESET reported the exploit to the Microsoft Security Response Center, which fixed the vulnerability and released a patch.

For more details about Buhtrap and its latest campaign, read Buhtrap group uses zero-day in espionage campaigns on WeLiveSecurity.com.