Researchers identify malware campaign targeting Russian businesses, banks

Russian organizations are the target of a highly focused campaign – dubbed Operation Buhtrap – that was identified by ESET researchers in 2014 and is believed to have been active for longer than a year.

Jean-Ian Boutin, malware researcher at ESET, told in a Friday email correspondence that Russian business accounting departments and Russian banks are believed to be primary targets in the campaign, and that the attackers appear to be financially motivated.

“Although we do not have information about possible money theft, the fact that we found strings in the malware related to bank websites and applications used by their customers to access and manage their accounts, led us to believe that the cybercriminals are looking for financial gains,” Boutin said.

The attackers were observed sending emails with Microsoft Word attachments that exploit CVE-2012-0158 – a Microsoft Word vulnerability – in order to install malware on machines with Russia as the default Windows locale, a Thursday post indicated.

Opening the malicious attachment on a vulnerable system results in an NSIS-packed trojan downloader being downloaded and executed, according to the post, which adds that it then makes several checks, including to see if it is running in a virtual environment.

If all requirements pass, another file is downloaded that contains different modules, and several are signed with a valid code-signing certificate, the post notes, explaining that ESET researchers identified four certificates being used that are all registered to companies in Moscow.

The modules have a variety of purposes, Boutin said. One recovers account passwords, enables remote desktop service, and creates new accounts on the compromised computer. Another installs a backdoor used to remotely control the compromised computer. And another logs all keystrokes and copies clipboard content, enumerates smart cards present on the system, and sends stolen data to the command-and-control (C&C) server.

The techniques observed here are not often used by financially motivated attackers, Boutin said, explaining that the malware is made in a way that only selected individuals are targeted.

“Before installing their malware, they perform several checks in order to compromise only computers that are likely to be of interest to them,” Boutin said. “The tools they use are also different than what we generally see in banking trojans. They also use, like many actors performing targeted attacks, C&C domain names that are likely to be mistaken for legitimate websites that their intended targets are likely to visit.”

Boutin did not have additional information to provide on the attackers. He said that ESET had a couple of thousand detections in the past year, which reinforces that the attacker are targeting selected individuals and not trying to compromise the greatest number of systems. According to the post, 88 percent of detections were in Russia, with 10 percent being in Ukraine.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.