Caught on the Drive-by: Buhtrap Banking Malware Returns

Caught on the Drive-by: Buhtrap Banking Malware Returns

The Buhtrap malware has been caught stealing again: And an investigation from Cyphort Labs shows it being dropped via drive-by download targeting Russian banks.

Buhtrap is a criminal cyber-hacking group that targets financial institutions. As reported by Group-IB, Buhtrap has been active since 2014. From August 2015 to February 2016, it managed to conduct 13 successful attacks against Russian banks and defrauded them of a total of $25.7 million.

It’s usually dropped onto a victim's system via a malicious RTF document exploit sent over email. But this month Cyphort Labs observed the same malware being dropped via a drive-by download.

“The infection chain starts with the compromised site eurolab[.]ua, which is a popular health site,” explained Dhruval Gandhi, Cyphort researcher, in a blog shared with Infosecurity.. “The compromised site leads visitors to rozhlas[.]site which has a browser exploit with CVE-2016-0189. This exploit is effective against Microsoft IE unpatched versions 9 through 11. After successful exploitation, an embedded Powershell script will further download a first stage malware which in turn downloads NSIS packed payloads with spying modules and a backdoor.”

This first stage malware’s main motive is to check for certain environmental factors to confirm its victim is a good target. It first checks for specific banking software and user browsing history and, based on that, it will download the second stage malware. It is clear from this technique that the hacker group is only interested in implanting their malware onto systems that are part of a banking system.

If any of the two checks are true, it will download its second stage malware, which shows advanced capabilities like keylogging, spying, smartcard reading etc. 

The health site hosting the drive-by is in Ukraine, and reaches about half a million visitors per month. It is important to note that even though the site is in Ukraine, 40% of its visitors are from Russia, according to Alexa stats.

“It seems that hackers are still going after Russian banks even after the demise of the Lurk group and the very publicized arrests by Russian law enforcement,” Gandhi said. “It also seems that this group has invested in expanding their capability by introducing a known vulnerability in their arsenal, which could be the result of insider knowledge of the software installed on targeted systems.”

Photo © Popova Valeriya/

Source: Information Security Magazine