ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Buhtrap

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Buhtrap

NamesBuhtrap
Ratopak
CategoryMalware
TypeBanking trojan, Backdoor, Keylogger, Credential stealer, Info stealer, Downloader, Exfiltration
Description(ESET) The infection vector we have seen consists of Microsoft Word documents sent as email attachments that exploit CVE-2012-0158, a vulnerability in Microsoft Word that was patched three years ago. The images below show two of the decoy documents used in this campaign. The first document, titled “Счет № 522375-ФЛОРЛ-14-115.doc” mimics an invoice. The second, aptly titled “kontrakt87.doc”, copies a generic telecommunications service contract from MegaFon, a large Russian mobile phone operator.

The tools deployed on the victim’s computer allow them to control it remotely and to record the user’s actions. The malware allows the criminals to install a backdoor, attempt to obtain the account password, and even create a new account. They also install a keylogger, a clipboard stealer, a smart card module, and have the capability to download and execute additional malware.
Information<https://www.welivesecurity.com/2015/04/09/operation-buhtrap/>
<https://malware-research.org/carbanak-source-code-leaked/>
<https://www.group-ib.com/brochures/gib-buhtrap-report.pdf>
<https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/>
<https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:buhtrap>

Last change to this tool card: 13 May 2020

Download this tool card in JSON format

Previous: BUFFETLINE
Next: BumbleBee

All groups using tool Buhtrap

ChangedNameCountryObserved

APT groups

 Buhtrap, Ratopak SpiderRussia2015-Jun 2019 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key