Man
Professional
- Messages
- 3,222
- Reaction score
- 815
- Points
- 113
A network of fake accounting sites that infect legal entity users with Buhtrap and RTM banking trojans was discovered on the Internet. Group-IB, a company specializing in the investigation of cybercrimes, learned about the existence of the network. According to the company, users of remote banking systems, payment systems and crypto wallets, including financial directors, lawyers and accountants, became victims of infection.
In response to CNews' request to name the specific organizations affected by the attack, Group-IB said that it could not disclose the names, but that at least one Russian bank that is a client of the company suffered from the hackers, and that in this case the attack was stopped at the initial stage. A "fairly large and well-known state institution", which is also a client of Group-IB, was also attacked.
The network consisted of at least five malicious sites filled with the same accounting content as bait — forms, contracts, invoices, and tax documents. They were buh-docum[.]ru, patrolpolice[.]org.ua, buh-blanks[.]ru, buh-doc[.]online and buh-doc[.]info. Three of them were launched in April 2018, the other two were registered in September 2017, with about 200,000 users using the services of each site, Group-IB reports.
The growth in the popularity of malicious resources was facilitated by the fact that they appeared among the first search results for the queries "download accounting forms", "download form", "tax return download", etc. The total number of visitors to the fake network has not yet been established, but we are talking about "hundreds of thousands" of users, Group-IB believes. Now four sites out of five have already been blocked, but the company does not rule out that there could be more.
In the Hi-Tech Crime Trends 2017 report, the company writes that each such attack, if successful, brings hackers up to 1.2 million rubles per day. The company estimates the number of successful attacks of this type at about two per day.
How the network
was detected The network of fake sites was uncovered after specialists from the Group-IB INFORMATION SECURITY INCIDENT RESPONSE CENTER (CERT-GIB) tracked the download of malware from the buh-docum website[.]ru in the mentioned bank. During the analysis of the site, they found out that it was filled with accounting content solely for the purpose of attracting the attention of financial directors, chief accountants, lawyers and other persons with access to the management of the accounts of organizations.
When users downloaded a document from the site, a Trojan developed by the Buhttrap hacker group was automatically downloaded and launched with it. As Group-IB explains, the code of this program can be found on hacker forums since 2016.
Cryptocurrencies aroused the greatest interest among hackers. The Trojan responded to a total of more than 400 key search queries, including ibank, ibrs, iclient, ibc, elbrus, i-elba, uwagb, wwwbank, dbo, ib., beta.isx.is, bitcoin, blockchain, btc.com, exmo.com, kiwi-coin, koineks, kraken.com, poloniex, walletbit, 100btc.kiev.ua, 100btc.pro, 100monet.pro, 1exchanger.com, 1wm.kz and 24-exchange.com.
Having found any of these combinations on the victim's computer, the loader contacted the server, and it downloaded Buhtrap or RTM trojans to the computer, through which it is possible to steal funds from remote banking systems and payment systems. Buhtrap infection occurs through a vulnerability in the browser.
"The attackers' tactics have changed: the vector of Trojan distribution was not traditional malicious mailing or hacked popular sites, but the creation of new thematic resources where attackers placed code designed to download Trojans. As a result, the carelessness of one employee of the company can lead to serious losses for the entire business: according to our data, there are at least 2 successful attacks on companies using malicious programs for PCs every day, as a result of which attackers steal an average of 1.2 million rubles. In addition, we do not rule out that there could be more such resources", writes Yaroslav Kargalev, Deputy Head of Group-IB CERT.
Source
------
F.A.C.C.T. researchers warn of the comeback of the Russian-speaking Buhtrap syndicate after a lull after a lull, detecting new campaigns targeting Russian financial and law firms.
Buhtrap is the name of both malware and the criminal group that originally used it in their attacks.
The first attacks on financial institutions were recorded back in August 2015, and the group itself has been active since at least 2014.
The main vector of penetration into corporate networks at that time was phishing emails on behalf of the Bank of Russia or its representatives.
Later, hacked or fake specialized accounting resources began to be used, where, under the guise of forms or document templates, the first stage of malware infection was implemented.
The damage from Buhtrap attacks in the period 2020-2022 alone was estimated at almost 2 billion rubles, and the global damage for all the years of its activity could reach 6-7 billion rubles.
The last activity was seen in April 2023.
A year later, during the investigation of an incident related to the download of a malicious object to the device of one of the clients, F.A.C.C.T. experts discovered new artifacts of criminal cyberactivity: the malicious instance in the archive was attributed as a Buhtrap RAT.
After the incident was detected, an additional analysis of the executable instance in the archive was initiated. The zip archive contains a first-stage loader called Document No [0-9].exe.
When the executable file was launched, the second-stage dropper was unpacked, which launched the Wordpad.exe with an empty document.
The next stage began only after the user closed the wordpad window, which is usually used to bypass sandboxes.
The Buhtrap RAT was saved to disk and written to the startup, namely in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, the path to the RAT: %userprofile%\AppData\Local\%dir_name%\%samplename%.exe. The directory name and RAT name are randomly generated in Latin.
In this campaign, the Buhtrap RAT uses an executable executable file, while in the 2023 campaign, it was a dll file that was unpacked and run in the memory of the rundll32.exe process.
During the scan, it turned out that the malicious archive was downloaded by the user through a web browser.
It turned out that the user was simply looking for a document template in Yandex, downloading a malicious archive as a result.
Analysis of the campaign showed that, in general, the scheme of the new one is practically the same as the campaign in March-April 2023.
As before, decoy sites were created, disguised as specialized resources for accountants and lawyers.
In total, three web resources were found that are involved in the current campaign and are in the top lines of the search results:
- астраюрист[.]рф (registered on 2024-07-26);
- фин-баланс[.]рф (registered on 2024-07-26);
- финансовыйбаланс[.]рф (registered on 2024-07-25).
In addition, another resource was discovered - a legal solution[.]RF that was not involved attackers within this company, but associated with the above domains.
Indicators of compromise - in the report: https://www.facct.ru/blog/buhtrap-attacks-again/
In response to CNews' request to name the specific organizations affected by the attack, Group-IB said that it could not disclose the names, but that at least one Russian bank that is a client of the company suffered from the hackers, and that in this case the attack was stopped at the initial stage. A "fairly large and well-known state institution", which is also a client of Group-IB, was also attacked.
The network consisted of at least five malicious sites filled with the same accounting content as bait — forms, contracts, invoices, and tax documents. They were buh-docum[.]ru, patrolpolice[.]org.ua, buh-blanks[.]ru, buh-doc[.]online and buh-doc[.]info. Three of them were launched in April 2018, the other two were registered in September 2017, with about 200,000 users using the services of each site, Group-IB reports.
The growth in the popularity of malicious resources was facilitated by the fact that they appeared among the first search results for the queries "download accounting forms", "download form", "tax return download", etc. The total number of visitors to the fake network has not yet been established, but we are talking about "hundreds of thousands" of users, Group-IB believes. Now four sites out of five have already been blocked, but the company does not rule out that there could be more.
In the Hi-Tech Crime Trends 2017 report, the company writes that each such attack, if successful, brings hackers up to 1.2 million rubles per day. The company estimates the number of successful attacks of this type at about two per day.
How the network
was detected The network of fake sites was uncovered after specialists from the Group-IB INFORMATION SECURITY INCIDENT RESPONSE CENTER (CERT-GIB) tracked the download of malware from the buh-docum website[.]ru in the mentioned bank. During the analysis of the site, they found out that it was filled with accounting content solely for the purpose of attracting the attention of financial directors, chief accountants, lawyers and other persons with access to the management of the accounts of organizations.
When users downloaded a document from the site, a Trojan developed by the Buhttrap hacker group was automatically downloaded and launched with it. As Group-IB explains, the code of this program can be found on hacker forums since 2016.
Cryptocurrencies aroused the greatest interest among hackers. The Trojan responded to a total of more than 400 key search queries, including ibank, ibrs, iclient, ibc, elbrus, i-elba, uwagb, wwwbank, dbo, ib., beta.isx.is, bitcoin, blockchain, btc.com, exmo.com, kiwi-coin, koineks, kraken.com, poloniex, walletbit, 100btc.kiev.ua, 100btc.pro, 100monet.pro, 1exchanger.com, 1wm.kz and 24-exchange.com.
Having found any of these combinations on the victim's computer, the loader contacted the server, and it downloaded Buhtrap or RTM trojans to the computer, through which it is possible to steal funds from remote banking systems and payment systems. Buhtrap infection occurs through a vulnerability in the browser.
"The attackers' tactics have changed: the vector of Trojan distribution was not traditional malicious mailing or hacked popular sites, but the creation of new thematic resources where attackers placed code designed to download Trojans. As a result, the carelessness of one employee of the company can lead to serious losses for the entire business: according to our data, there are at least 2 successful attacks on companies using malicious programs for PCs every day, as a result of which attackers steal an average of 1.2 million rubles. In addition, we do not rule out that there could be more such resources", writes Yaroslav Kargalev, Deputy Head of Group-IB CERT.
Source
------
F.A.C.C.T. researchers warn of the comeback of the Russian-speaking Buhtrap syndicate after a lull after a lull, detecting new campaigns targeting Russian financial and law firms.
Buhtrap is the name of both malware and the criminal group that originally used it in their attacks.
The first attacks on financial institutions were recorded back in August 2015, and the group itself has been active since at least 2014.
The main vector of penetration into corporate networks at that time was phishing emails on behalf of the Bank of Russia or its representatives.
Later, hacked or fake specialized accounting resources began to be used, where, under the guise of forms or document templates, the first stage of malware infection was implemented.
The damage from Buhtrap attacks in the period 2020-2022 alone was estimated at almost 2 billion rubles, and the global damage for all the years of its activity could reach 6-7 billion rubles.
The last activity was seen in April 2023.
A year later, during the investigation of an incident related to the download of a malicious object to the device of one of the clients, F.A.C.C.T. experts discovered new artifacts of criminal cyberactivity: the malicious instance in the archive was attributed as a Buhtrap RAT.
After the incident was detected, an additional analysis of the executable instance in the archive was initiated. The zip archive contains a first-stage loader called Document No [0-9].exe.
When the executable file was launched, the second-stage dropper was unpacked, which launched the Wordpad.exe with an empty document.
The next stage began only after the user closed the wordpad window, which is usually used to bypass sandboxes.
The Buhtrap RAT was saved to disk and written to the startup, namely in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, the path to the RAT: %userprofile%\AppData\Local\%dir_name%\%samplename%.exe. The directory name and RAT name are randomly generated in Latin.
In this campaign, the Buhtrap RAT uses an executable executable file, while in the 2023 campaign, it was a dll file that was unpacked and run in the memory of the rundll32.exe process.
During the scan, it turned out that the malicious archive was downloaded by the user through a web browser.
It turned out that the user was simply looking for a document template in Yandex, downloading a malicious archive as a result.
Analysis of the campaign showed that, in general, the scheme of the new one is practically the same as the campaign in March-April 2023.
As before, decoy sites were created, disguised as specialized resources for accountants and lawyers.
In total, three web resources were found that are involved in the current campaign and are in the top lines of the search results:
- астраюрист[.]рф (registered on 2024-07-26);
- фин-баланс[.]рф (registered on 2024-07-26);
- финансовыйбаланс[.]рф (registered on 2024-07-25).
In addition, another resource was discovered - a legal solution[.]RF that was not involved attackers within this company, but associated with the above domains.
Indicators of compromise - in the report: https://www.facct.ru/blog/buhtrap-attacks-again/
