Nasty Buhtrap Malware Spies on Russian Business Computers to Steal Data and Enumerate Smart Cards

Next story

Security experts at ESET, a global pioneer in proactive protection for more than two decades, have published their in-depth technical examination of the Operation Buhtrap malware family, a campaign aimed at Russian Windows users that allows cybercriminals to spy on computer systems, steals sensitive and smartcard information.  
Operation Buhtrap began late last year and continues to evolve, putting vulnerable Russian Windows systems at risk. The campaign targets a large array of Russian banks, uses several different code signing certificates and implements evasive techniques to avoid detection.
The infection vectors studied by ESET are Word documents exploiting CVE-2012-0158. The cybercriminals spam recipients with malicious Word attachments, such as fake invoices or contracts from MegaFon, a large Russian mobile phone operator, in an attempt to lure victims into opening the malicious attachments.
The malware used in Operation Buhtrap makes use of  a mix of off-the-shelf tools, NSIS-packed trojan downloader and bespoke spyware that abuses Yandex’s Punto software.
The tools deployed on the victim’s computer allow the cybercriminals to control the computer remotely and to record its user’s actions. The malware allows the criminals to install a backdoor, attempts to obtain the account password and even create a new account. It also installs a keylogger, a clipboard stealer, a smart card module and has the capability to download and execute additional malware.

“This campaign is yet another reminder to all of us to ensure that computers are properly protected and patched against vulnerabilities,” said Jean-Ian Boutin, Malware Researcher at ESET. “The techniques used by the cybercriminals are often associated with targeted attacks. It diverges quite a lot from the traditional banking malware we are familiar with. Once a computer on a network is compromised, the cybercriminals have access to several tools that will help them to first compromise other computers in the company and second, spy on the user and establish whether fraudulent banking transactions can be performed.”

Interestingly, in all the banker modules analysed by ESET - the latest one having a compilation time of 18 January 2015 - there is a string “TEST_BOTNET” that is sent in every communication with the malware author’s command and control centre. ESET researchers are confident that this operation has been ongoing for more than a year, and the the malware undergoes continuous improvement to evade detection and maximise return.
Read more about Operation Buhtrap on

About ESET

Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit or follow us on LinkedInFacebook and Twitter.