SYMBOLCOMMON_NAMEaka. SYNONYMS

BuhTrap  (Back to overview)


Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified. Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.


Associated Families
win.buhtrap

References
2020-06-11SCYTHEJorge Orchilles
@online{orchilles:20200611:threatthursday:b0ccbb8, author = {Jorge Orchilles}, title = {{#ThreatThursday - Buhtrap}}, date = {2020-06-11}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-buhtrap}, language = {English}, urldate = {2020-06-16} } #ThreatThursday - Buhtrap
Buhtrap
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-07-11ESET ResearchJean-Ian Boutin
@online{boutin:20190711:buhtrap:ec174bc, author = {Jean-Ian Boutin}, title = {{Buhtrap group uses zero‑day in latest espionage campaigns}}, date = {2019-07-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/}, language = {English}, urldate = {2019-11-14} } Buhtrap group uses zero‑day in latest espionage campaigns
Buhtrap
2019-04-30ESET ResearchESET Research
@online{research:20190430:buhtrap:ebdeba3, author = {ESET Research}, title = {{Buhtrap backdoor and Buran ransomware distributed via major advertising platform}}, date = {2019-04-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/}, language = {English}, urldate = {2019-11-14} } Buhtrap backdoor and Buran ransomware distributed via major advertising platform
Buhtrap ClipBanker RTM
2019-03-14DCSODCSO
@online{dcso:20190314:pegasusbuhtrap:2e48e0e, author = {DCSO}, title = {{Pegasus/Buhtrap analysis of the malware stage based on the leaked source code}}, date = {2019-03-14}, organization = {DCSO}, url = {https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/}, language = {English}, urldate = {2020-01-07} } Pegasus/Buhtrap analysis of the malware stage based on the leaked source code
Buhtrap
2019-02-20Kaspersky LabsPavel Shoshin
@online{shoshin:20190220:cybercrime:3fc9944, author = {Pavel Shoshin}, title = {{Cybercrime is focusing on accountants}}, date = {2019-02-20}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/financial-trojans-2019/25690/}, language = {English}, urldate = {2019-12-05} } Cybercrime is focusing on accountants
BuhTrap
2018-07-11GelosSnake BlogOmri Segev Moyal
@online{moyal:20180711:notcarbanak:b87716e, author = {Omri Segev Moyal}, title = {{NotCarbanak Mystery - Source Code Leak}}, date = {2018-07-11}, organization = {GelosSnake Blog}, url = {https://malware-research.org/carbanak-source-code-leaked/}, language = {English}, urldate = {2020-01-08} } NotCarbanak Mystery - Source Code Leak
Buhtrap
2016-09-28ForcepointNicholas Griffin
@online{griffin:20160928:highly:c9c3359, author = {Nicholas Griffin}, title = {{Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware}}, date = {2016-09-28}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware}, language = {English}, urldate = {2020-01-09} } Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware
BuhTrap
2016-03Group-IBGroup-IB
@techreport{groupib:201603:buhtrap:65fd758, author = {Group-IB}, title = {{BUHTRAP: The Evolution of Targetted Attacks Against Financial Instituitions}}, date = {2016-03}, institution = {Group-IB}, url = {https://www.group-ib.com/brochures/gib-buhtrap-report.pdf}, language = {English}, urldate = {2020-01-12} } BUHTRAP: The Evolution of Targetted Attacks Against Financial Instituitions
BuhTrap
2016-02-22SymantecSymantec Security Response
@online{response:20160222:russian:c8f9d1a, author = {Symantec Security Response}, title = {{Russian bank employees received fake job offers in targeted email attack}}, date = {2016-02-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack}, language = {English}, urldate = {2019-11-28} } Russian bank employees received fake job offers in targeted email attack
Buhtrap BuhTrap
2016-02-22SymantecA L Johnson
@online{johnson:20160222:russian:cc3bc7b, author = {A L Johnson}, title = {{Russian bank employees received fake job offers in targeted email attack}}, date = {2016-02-22}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Russian bank employees received fake job offers in targeted email attack
Buhtrap BuhTrap
2015-11-11ESET ResearchJean-Ian Boutin
@online{boutin:20151111:operation:baffed9, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap malware distributed via ammyy.com}}, date = {2015-11-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/}, language = {English}, urldate = {2020-01-08} } Operation Buhtrap malware distributed via ammyy.com
BuhTrap
2015-04-09ESET ResearchJean-Ian Boutin
@online{boutin:20150409:operation:077f5fe, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap, the trap for Russian accountants}}, date = {2015-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/04/09/operation-buhtrap/}, language = {English}, urldate = {2019-11-14} } Operation Buhtrap, the trap for Russian accountants
Buhtrap BuhTrap

Credits: MISP Project