In general Buhtrap is the cyber attack in the financial institution using APT attack. A report is published by Group-IB to increase awareness among the banking communities’about hacker tactics, provide indicators which enable banks to identify corporate network compromise incidents and develop recommendations which will help to combat cyber criminals.

The report had covered different organized cyber criminal group such as Anunak (also known as Carbanak), Corkow (also known as Metel).

Financial losses in two years. 

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. 600 million the largest amount stolen from a Russian bank (2016) 25,6 million the smallest amount stolen from a Russian bank (2015) 143 million the average amount stolen from a bank 1 billion the amount of money which was prevented from being stolen in January 2016 Buhtrap attacks threaten the financial stability of their victims: 62% the average amount of theft as it compares to the bank’s charter capital 2,5 times bank’s charter capital was the loss to fraud in two separate cases.

Methods of distribution.

Cyber criminals have different ways to penetrate to the network and spread their malware for this attack they used 3 different ways of distribution bhutrap.

  1. Phishing mailouts
  2. Exploit kits
  3. Legal Software

Phishing mailouts:

Phishing attack is main tool used by the group to spread their attack against bank client and banks. Attackers send attach documents in two ways using exploits (CVE-2012-0158, CVE-2013-3906 or CVE-2014-1761), or delivered with macros which contain an instruction to enable macros.

Screenshot - 2016年05月10日 - 17時51分20秒

Exploit Kits:

It is found that cybercriminals spreading Buhtrap using this method from May 2015 to August 2015. Attackers secretly redirected users from compromised legal resources which include accounting portals, specialized websites for registration of legal entities and construction websites to malicious server hosting the exploit kit.


Legal Software.

Criminals were able to upload malicious contain (Buhtrap Trojan) in software named Ammyy Admin, Ammyy website is belong to a company which specializes in developing the legitimate remote administrator software. Next, in October EsetNod32 found malicious activity on the Ammyy website which was used to spread modified Ammyy version with such Trojans as Lurk, CoreBot, Ranbyus, NetwireRAT.

Provision of the Trojan Survivability

Screenshot - 2016年05月10日 - 19時23分46秒


For detail information about Buhtrap please go through the link: BuhTrap



Manish Dangol

Leave a Reply

Your email address will not be published. Required fields are marked *