Buhtrap metamorphosis: from cybercrime to cyber espionage (partner presentation)

Thursday 3 October 10:00 - 10:30, Red room

Anton Cherepanov (ESET)
Jean-Ian Boutin (ESET)

ESET researchers were among the first to identify and describe a stealthy and financially motivated malicious campaign targeting Russian companies. At the time of discovery, we coined the name ‘Buhtrap’ for the malware used in these campaigns.

Over the past several years we have closely monitored this group’s evolution from its early baby steps to becoming a major cybercriminal player. At the beginning, the Buhtrap group targeted the accounting departments of Russian businesses; then the group’s focus shifted to financial institutions themselves. In 2015 the Buhtrap malware was distributed using a supply-chain attack on the official Ammyy website, targeting its users.

At the peak of its criminal activity, this group caused significant losses to financial institutions; according to Group-IB, the people behind Buhtrap managed to steal US$25 million from Russian banks.

This and other campaigns were summarized and presented in our VB2016 paper (‘Modern Attacks on Russian Financial Institutions’). After that, we saw an unexpected transformation in the Buhtrap group’s interests from pure cybercrime to cyber espionage. While the group used similar malware and techniques very close to the original Buhtrap group, we observed that their focus had shifted to countries other than Russia. Further, the Buhtrap group started to target governmental entities.

In 2019 we detected the Buhtrap group using a zero-day local privilege escalation vulnerability (CVE-2019-1132) in Eastern Europe and attempts to deploy the malware in Central Asia.

In this talk we will follow the breadcrumbs to figure out what the Buhtrap beast has finally become.




Anton Cherepanov

Anton Cherepanov currently works at ESET as a senior malware researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research has been presented at numerous conferences, including BlackHat USA, Virus Bulletin and CARO Workshop. His interests focus on reverse engineering and automation of malware analysis.



Jean-Ian Boutin

Jean-Ian Boutin leads the Threat Research department at ESET. Boutin investigates trends in malware, reverse engineers binaries and finds effective techniques to counter new threats. He has presented at several security conferences, including Black Hat, REcon, BlueHat, Virus Bulletin and ZeroNights.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.