Buhtrap Group Used Windows Zero-Day in Government Attack

One of the two Windows zero-day vulnerabilities fixed by Microsoft with its July 2019 Patch Tuesday updates was used by a threat group known as Buhtrap to target a government organization in Eastern Europe, according to cybersecurity firm ESET.

The flaw, tracked as CVE-2019-1132, is a privilege escalation issue related to how the Win32k component handles objects in memory. It can be exploited to execute arbitrary code in kernel mode, but it only appears to affect older versions of Windows, such as Windows 7 and Server 2008.

ESET, which informed Microsoft of the vulnerability and the attacks exploiting it, has released a blog post containing technical information on CVE-2019-1132. The company says the exploit created by Buhtrap relies on popup menu objects, a technique that has been used for several vulnerabilities in recent years. According to ESET, the exploit for CVE-2019-1132 uses techniques very similar to the exploit for CVE-2017-0263, a Windows zero-day patched by Microsoft in May 2017 after it was used by a Russia-linked cyberspy group.

As for the attack involving CVE-2019-1132, ESET spotted it in June after it was used to target a government institution in Eastern Europe. The Buhtrap hackers leveraged the exploit to run their malware with the highest privileges on the compromised systems.

This was the first time Buhtrap had used a zero-day vulnerability in its attacks, ESET said.

The group used decoy documents to deliver a piece of malware designed to steal passwords from email clients and browsers, and send them to a command and control (C&C) server. The malware also gave attackers full access to the compromised device.

Buhtrap has been active since at least 2014. The group initially conducted profit-driven campaigns aimed at the customers of Russian banks. In 2015, the threat actor was spotted targeting financial institutions directly by sending spear-phishing emails to their employees. Buhtrap is said to have stolen significant amounts of money during these operations, including $25 million over a six-month period from 13 Russian banks.

In 2015, the group also started launching cyber espionage operations aimed at entities in Eastern Europe and Central Asia, including government organizations. While the source code for Buhtrap’s malware was leaked in 2016, which allowed other groups to use it as well, ESET has pointed out that the hackers shifted focus before the leak and the company assesses with high confidence that the people behind the attacks on banks also targeted governments.

“While we do not know why this group has suddenly shifted targets, it is a good example of the more and more blurry lines separating pure espionage groups from the ones mostly doing crimeware. In this case, it is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” ESET said in a blog post.

The second Windows zero-day vulnerability patched by Microsoft this month, a privilege escalation issue tracked as CVE-2019-0880, was reported to the company by Resecurity. However, the firm told SecurityWeek that it only shares its findings with impacted vendors and it has refused to provide any information on the attacks involving this flaw.

Related: Windows Zero-Day Exploited in Targeted Attacks by ‘PowerPool’ Group

Related: Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags: