BuhTrap  (Back to overview)

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified. Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.

Associated Families

2020-06-11SCYTHEJorge Orchilles
#ThreatThursday - Buhtrap
2020-05-24Positive TechnologiesPT ESC Threat Intelligence
Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2019-07-11ESET ResearchJean-Ian Boutin
Buhtrap group uses zero‑day in latest espionage campaigns
2019-04-30ESET ResearchESET Research
Buhtrap backdoor and Buran ransomware distributed via major advertising platform
Buhtrap ClipBanker RTM
Pegasus/Buhtrap analysis of the malware stage based on the leaked source code
2019-02-20Kaspersky LabsPavel Shoshin
Cybercrime is focusing on accountants
2018-07-11GelosSnake BlogOmri Segev Moyal
NotCarbanak Mystery - Source Code Leak
2016-09-28ForcepointNicholas Griffin
Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware
BUHTRAP: The Evolution of Targetted Attacks Against Financial Instituitions
2016-02-22SymantecSymantec Security Response
Russian bank employees received fake job offers in targeted email attack
Buhtrap BuhTrap
2016-02-22SymantecA L Johnson
Russian bank employees received fake job offers in targeted email attack
Buhtrap BuhTrap
2015-11-11ESET ResearchJean-Ian Boutin
Operation Buhtrap malware distributed via
2015-04-09ESET ResearchJean-Ian Boutin
Operation Buhtrap, the trap for Russian accountants
Buhtrap BuhTrap

Credits: MISP Project