Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Buhtrap Gang Steals Millions From Russian Banks

The cybercriminal gang known as Buhtrap has stolen $25 million from 13 Russian banks over a six-month period, according to a report published on Thursday by Russia-based security firm Group-IB.

The cybercriminal gang known as Buhtrap has stolen $25 million from 13 Russian banks over a six-month period, according to a report published on Thursday by Russia-based security firm Group-IB.

Buhtrap is believed to have been active since 2014, but their attacks focused on the customers of Russian banks until August 2015. The first attack targeting financial institutions directly was spotted in August 2015, and over the next months the group sent out spear-phishing emails to many organizations.

The emails carried a malicious Word document designed to download the Buhtrap malware, which opens a backdoor on the infected machine and allows attackers to log keystrokes, steal clipboard data, view and control the victim’s screen, and download other malware.

The group later started using a worm, dubbed by Group-IB BuhtrapWorm, which allowed attackers to remain in the targeted corporate network as long as at least one computer was infected.

In attacks aimed at Russian banks, the gang targeted workstations running a free application called Automated Working Station of the Central Bank Client (AWS CBC). The attackers replaced legitimate payment orders in AWS CBC with their own so that money would be sent to accounts they controlled instead of the legitimate recipient.

Group-IB believes the group has stolen $25 million (1.8 billion RUB) from 13 Russian banks between August 2015 and February 2016. Experts estimate that the lowest amount stolen from a Russian bank is $370,000 (25 million RUB), and the highest amount is close to $9 million (600 million RUB). Researchers could not determine the damage caused by the attackers to banks in Ukraine.

The source code for an earlier version of Buhtrap was leaked on an underground forum in February 2016 by an individual claiming to be one of the malware’s authors. Researchers believe the leak could lead to an increase in the number of attacks using this threat.

Group-IB is not the only security firm monitoring Buhtrap’s activities. ESET published a report on the cybercrime group in April 2015, and, last month, Symantec said it observed the actor targeting the employees of at least six Russian banks.

Advertisement. Scroll to continue reading.

In its report on Buhtrap, Group-IB noted that the attacks were not sophisticated and they could have easily been detected and blocked had the targeted organizations taken basic security measures, such as keeping their systems up to date and educating their employees about phishing attacks.

Russian banks are increasingly targeted by cybercriminals. Other groups that have caused significant losses to financial institutions in the country by leveraging clever techniques are Carbanak (Anunak), Metel (Corkow) and GCMAN.

Related: Carbanak Group Targets Banks in Middle East, U.S.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.