{"id":3571,"date":"2019-07-29T13:20:51","date_gmt":"2019-07-29T10:20:51","guid":{"rendered":"https:\/\/blog.eset.ee\/?p=3571"},"modified":"2019-07-29T11:33:05","modified_gmt":"2019-07-29T08:33:05","slug":"buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/","title":{"rendered":"Infamous Buhtrap group behind highly targeted zero-day attack"},"content":{"rendered":"\n<p><a href=\"http:\/\/www.eset.com\">ESET<\/a> researchers reported <a href=\"https:\/\/www.welivesecurity.com\/2019\/07\/10\/windows-zero-day-cve-2019-1132-exploit\/\">a\nzero-day exploit<\/a> deployed in a highly targeted attack in Eastern\nEurope. The exploit used a local privilege escalation vulnerability in\nMicrosoft Windows.&nbsp; Our researchers have\nnow been able to identify the perpetrators \u2013 the infamous Buhtrap APT and\ncyber-criminal group, which focuses on espionage operations in Eastern Europe\nand Central Asia. For the first time, ESET has witnessed them using a zero-day\nattack as part of a campaign.<\/p>\n\n\n\n<p>The Buhtrap\ngroup is well known for its targeting of financial institutions as well as <a href=\"https:\/\/www.welivesecurity.com\/2015\/04\/09\/operation-buhtrap\/\">businesses<\/a> in Russia. However, since late 2015, we have witnessed an\ninteresting change to the profile of the group\u2019s traditional targets. Evolving\nfrom a pure criminal group perpetrating cybercrime for financial gain, their\ntoolset has been expanded with malware used to conduct espionage.<\/p>\n\n\n\n<p>\u201cIt is always\ndifficult to attribute a campaign to a particular actor when their tools\u2019\nsource code is freely available on the web. However, as the shift in target\noccurred before the source code leaked, we assessed with high confidence that\nthe same people behind the first Buhtrap malware attacks against businesses and\nbanks are also involved in the targeting of governmental institutions,\u201d says\nJean-Ian Boutin, a leading researcher at ESET. \u201cIt is unclear if one or several\nmembers of this group decided to change focus and for what reasons, but it is\ndefinitely something that we are likely to see more of going forward,\u201d he added.<\/p>\n\n\n\n<p><strong><em>Important events in Buhtrap timeline<\/em><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2019\/07\/Timeline_Buhtrap.jpg\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img decoding=\"async\" src=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2019\/07\/Timeline_Buhtrap-1024x307.jpg\" alt=\"\" class=\"wp-image-127608\"\/><\/a><\/figure>\n\n\n\n<p>As ESET\nresearch shows, although new tools were added to their arsenal and updates were\napplied to old ones, the tactics, techniques and procedures used in the\ndifferent Buhtrap campaigns have not changed drastically over the passing\nyears. The documents employed to deliver the malicious payloads often come with\nbenign decoy documents to avoid raising suspicions if the victim opens them.\nThe analysis of these decoy documents provides clues to researchers about who\nthe targets might be. The tools used in the espionage campaigns were very\nsimilar to the ones used against businesses and financial institutions.<\/p>\n\n\n\n<p>With regard\nto this specific campaign, the malware contained a password stealer, which tried\nto harvest passwords from mail clients, browsers, etc. and send them to a command\nand control server. The malware granted its operators full access to the\ncompromised system as well.<\/p>\n\n\n\n<p>ESET reported the exploit to the Microsoft\nSecurity Response Center, which fixed the vulnerability and released <a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/CVE-2019-1132\">a\npatch<\/a>.<\/p>\n\n\n\n<p>For more details about Buhtrap and its latest campaign, read <a href=\"https:\/\/www.welivesecurity.com\/2019\/07\/11\/buhtrap-zero-day-espionage-campaigns\/\">Buhtrap group uses zero-day in espionage campaigns<\/a> on <a href=\"https:\/\/www.welivesecurity.com\/\">WeLiveSecurity.com<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers reported a zero-day exploit deployed in a highly targeted attack in Eastern Europe. The exploit used a local privilege escalation vulnerability in Microsoft Windows.&nbsp; Our researchers have now been able to identify the perpetrators \u2013 the infamous Buhtrap APT and cyber-criminal group, which focuses on espionage operations in Eastern Europe and Central Asia.<\/p>\n","protected":false},"author":5,"featured_media":3572,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[160],"tags":[],"class_list":["post-3571","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.2 (Yoast SEO v27.6) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Infamous Buhtrap group behind highly targeted zero-day attack - ESET Eesti Blogi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Infamous Buhtrap group behind highly targeted zero-day attack\" \/>\n<meta property=\"og:description\" content=\"ESET researchers reported a zero-day exploit deployed in a highly targeted attack in Eastern Europe. The exploit used a local privilege escalation vulnerability in Microsoft Windows.&nbsp; Our researchers have now been able to identify the perpetrators \u2013 the infamous Buhtrap APT and cyber-criminal group, which focuses on espionage operations in Eastern Europe and Central Asia.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/\" \/>\n<meta property=\"og:site_name\" content=\"ESET Eesti Blogi\" \/>\n<meta property=\"article:publisher\" content=\"http:\/\/www.facebook.com\/antiviirus\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-29T10:20:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/07\/zero-3-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ESET Blog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ESET Blog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/\"},\"author\":{\"name\":\"ESET Blog\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"headline\":\"Infamous Buhtrap group behind highly targeted zero-day attack\",\"datePublished\":\"2019-07-29T10:20:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/\"},\"wordCount\":428,\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/zero-3-1.jpg\",\"articleSection\":[\"malware\"],\"inLanguage\":\"en-US\",\"copyrightYear\":\"2019\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/\",\"name\":\"Infamous Buhtrap group behind highly targeted zero-day attack - ESET Eesti Blogi\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/zero-3-1.jpg\",\"datePublished\":\"2019-07-29T10:20:51+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/zero-3-1.jpg\",\"contentUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/zero-3-1.jpg\",\"width\":1920,\"height\":1080},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infamous Buhtrap group behind highly targeted zero-day attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\",\"name\":\"ESET Eesti Blogi\",\"description\":\"Uudised IT maailmast\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\",\"name\":\"ESET Blog\",\"sameAs\":[\"http:\\\/\\\/eset.ee\"],\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/author\\\/allankinsigo\\\/\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/07\\\/29\\\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\\\/#local-main-organization-logo\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"ESET EESTI\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Infamous Buhtrap group behind highly targeted zero-day attack - ESET Eesti Blogi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/","og_locale":"en_US","og_type":"article","og_title":"Infamous Buhtrap group behind highly targeted zero-day attack","og_description":"ESET researchers reported a zero-day exploit deployed in a highly targeted attack in Eastern Europe. The exploit used a local privilege escalation vulnerability in Microsoft Windows.&nbsp; Our researchers have now been able to identify the perpetrators \u2013 the infamous Buhtrap APT and cyber-criminal group, which focuses on espionage operations in Eastern Europe and Central Asia.","og_url":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/","og_site_name":"ESET Eesti Blogi","article_publisher":"http:\/\/www.facebook.com\/antiviirus","article_published_time":"2019-07-29T10:20:51+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/07\/zero-3-1.jpg","type":"image\/jpeg"}],"author":"ESET Blog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ESET Blog","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/#article","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/"},"author":{"name":"ESET Blog","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"headline":"Infamous Buhtrap group behind highly targeted zero-day attack","datePublished":"2019-07-29T10:20:51+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/"},"wordCount":428,"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/07\/zero-3-1.jpg","articleSection":["malware"],"inLanguage":"en-US","copyrightYear":"2019","copyrightHolder":{"@id":"https:\/\/blog.eset.ee\/et\/#organization"}},{"@type":"WebPage","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/","url":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/","name":"Infamous Buhtrap group behind highly targeted zero-day attack - ESET Eesti Blogi","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/#primaryimage"},"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/07\/zero-3-1.jpg","datePublished":"2019-07-29T10:20:51+00:00","author":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"breadcrumb":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/#primaryimage","url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/07\/zero-3-1.jpg","contentUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/07\/zero-3-1.jpg","width":1920,"height":1080},{"@type":"BreadcrumbList","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.eset.ee\/et\/en\/"},{"@type":"ListItem","position":2,"name":"Infamous Buhtrap group behind highly targeted zero-day attack"}]},{"@type":"WebSite","@id":"https:\/\/blog.eset.ee\/et\/en\/#website","url":"https:\/\/blog.eset.ee\/et\/en\/","name":"ESET Eesti Blogi","description":"Uudised IT maailmast","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.eset.ee\/et\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88","name":"ESET Blog","sameAs":["http:\/\/eset.ee"],"url":"https:\/\/blog.eset.ee\/et\/en\/author\/allankinsigo\/"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/07\/29\/buhtrap-group-uses-zero%e2%80%91day-in-latest-espionage-campaigns\/#local-main-organization-logo","url":"","contentUrl":"","caption":"ESET EESTI"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/3571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=3571"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/3571\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/3572"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=3571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=3571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=3571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}