Security Experts:

Connect with us

Hi, what are you looking for?



Buhtrap Gang Steals Millions From Russian Banks

The cybercriminal gang known as Buhtrap has stolen $25 million from 13 Russian banks over a six-month period, according to a report published on Thursday by Russia-based security firm Group-IB.

The cybercriminal gang known as Buhtrap has stolen $25 million from 13 Russian banks over a six-month period, according to a report published on Thursday by Russia-based security firm Group-IB.

Buhtrap is believed to have been active since 2014, but their attacks focused on the customers of Russian banks until August 2015. The first attack targeting financial institutions directly was spotted in August 2015, and over the next months the group sent out spear-phishing emails to many organizations.

The emails carried a malicious Word document designed to download the Buhtrap malware, which opens a backdoor on the infected machine and allows attackers to log keystrokes, steal clipboard data, view and control the victim’s screen, and download other malware.

The group later started using a worm, dubbed by Group-IB BuhtrapWorm, which allowed attackers to remain in the targeted corporate network as long as at least one computer was infected.

In attacks aimed at Russian banks, the gang targeted workstations running a free application called Automated Working Station of the Central Bank Client (AWS CBC). The attackers replaced legitimate payment orders in AWS CBC with their own so that money would be sent to accounts they controlled instead of the legitimate recipient.

Group-IB believes the group has stolen $25 million (1.8 billion RUB) from 13 Russian banks between August 2015 and February 2016. Experts estimate that the lowest amount stolen from a Russian bank is $370,000 (25 million RUB), and the highest amount is close to $9 million (600 million RUB). Researchers could not determine the damage caused by the attackers to banks in Ukraine.

The source code for an earlier version of Buhtrap was leaked on an underground forum in February 2016 by an individual claiming to be one of the malware’s authors. Researchers believe the leak could lead to an increase in the number of attacks using this threat.

Group-IB is not the only security firm monitoring Buhtrap’s activities. ESET published a report on the cybercrime group in April 2015, and, last month, Symantec said it observed the actor targeting the employees of at least six Russian banks.

In its report on Buhtrap, Group-IB noted that the attacks were not sophisticated and they could have easily been detected and blocked had the targeted organizations taken basic security measures, such as keeping their systems up to date and educating their employees about phishing attacks.

Russian banks are increasingly targeted by cybercriminals. Other groups that have caused significant losses to financial institutions in the country by leveraging clever techniques are Carbanak (Anunak), Metel (Corkow) and GCMAN.

Related: Carbanak Group Targets Banks in Middle East, U.S.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...