News Feature | April 21, 2015

"Buhtrap" Malware Targeting Russian Banks And Businesses

Christine Kern

By Christine Kern, contributing writer

Broken Security Lock

ESET has discovered a malware campaign targeting Russian banks and the accounting departments of Russian businesses, nicknamed Operation Buhtrap. Apparently, the malware has been active for more than a year, and 88 percent of the attacks have been in Russia and 10 percent in the Ukraine.

Analysts at ESET uncovered CVE-2012-0158 late in 2014, which is a buffer overflow vulnerability in the ListView/TreeView Active X controls found in the MSCOMCTL.OCX library. The malicious code can be activated using a specially modified DOC or RTF file for MS Office 2003, 2007, or 2010, according to Security Affairs.

“The tools deployed on the victim’s computer allow them to control it remotely and to record the user’s actions. The malware allows the criminals to install a backdoor, attempt to obtain the account password and even create a new account,” explained Jean-Ian Boutin of ESET.

The malware is comparable to the Anunak/Carbanak campaign, another malware that targeted Russian and Ukrainian banks. “Although we believe it to be a different campaign, it shares some similarities with Anunak/Carbanak in terms of techniques, tactics and procedures it use,” Boutin states.

ESET explained that the malware used in this campaign is “a mix of off-the-shelf tools, NSIS-packed malware and bespoke spyware that abuses Yandex’s Punto software, a program for Russian users which silently and automatically changes the keyboard language depending on what the user is typing.” Cybercriminals then use custom tools to analyze the compromised computer’s content, install a backdoor and finally deploy a malicious module that spies on the system and can enumerate smart cards.

The module will also try to recover account passwords, enable remote desktop service, create a new account on the compromised computer, and perform fraudulent banking transactions.

To date, it has not been established exactly how much money the cybercriminals have managed to steal or specifically who was targeted.