#1267198: Windows Zero-Day Used by Buhtrap Group For Cyber-Espionage
The Buhtrap hacking group has switched its targets from Rusian financial businesses and institutions since December 2015 when it moved into cyber-espionage operations, culminating with the use of a recently patched Windows zero-day during June 2019.
The Windows local privilege escalation 0-day vulnerability tracked as CVE-2019-1132 and abused by Buhtrap as part of its attacks was fixed by Microsoft during this month's Patch Tuesday and it allowed the cyber-crime group to run arbitrary code in kernel mode after successful exploitation.
Even though actively targeting banking clients since 2014, Buhtrap's attacks were only detected one year later, in 2015, when it started going after more high-profile victims like financial institutions according to Group-IB and ESET researchers.
"From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln)," says a Group-IB report.
The Windows zero-day exploited by Buhtrap
ESET researchers were able to observe how the hacker group's "toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia" in multiple targeted campaigns.
Buhtrap's zero-day vulnerability exploit was used during June 2019 in an attack against a governmental institution and it is designed to abuse "a NULL pointer dereference in the win32k.sys component" on computers running older Windows versions.
The CVE-2019-1132 exploit Buhtrap employed to compromise governmental computing systems during June impacts the following Windows versions:
• Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems Service Pack 1
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for Itanium-Based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
This vulnerability was only exploitable only on older Windows versions because user processes are no longer allowed to map the NULL page since Windows 8.
Move into cyber-espionage
While Buhtrap has always been known for its stealthy operations, in February 2016 their backdoor's source code which was used in previous attacks leaked online, leading to wide distribution among threat actors and subsequent adoption by various other groups and actors.
However, as discovered by the ESET research team, the cyber-crime group moved on and added new tools to its toolkit and, as mentioned in the beginning, it also moved into cyber-espionage.
"It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web," says ESET. "However, as the shift in targets occurred before the source code leak, we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions."
Also, "Although new tools have been added to their arsenal and updates applied to older ones, the tactics, techniques and procedures (TTPs) used in the different Buhtrap campaigns have not changed dramatically over all these years."
Even though the exact reason behind Buhtrap's decision to expand its operations into cyber-espionage is unknown, it is the perfect "example of the increasingly blurred lines between pure espionage groups and those primarily involved in crimeware activities."
A full list of indicators of compromise (IOCs) is available at the end of ESET's report on the Buhtrap group's move into cyber-espionage, including domains of C2 servers, malware sample hashes, codesigning certificate fingerprints, as well as a table of MITRE ATT&CK Techniques.
|Date added||July 12, 2019, 10:43 a.m.|