Security Experts:

Connect with us

Hi, what are you looking for?



Buhtrap Group Used Windows Zero-Day in Government Attack

One of the two Windows zero-day vulnerabilities fixed by Microsoft with its July 2019 Patch Tuesday updates was used by a threat group known as Buhtrap to target a government organization in Eastern Europe, according to cybersecurity firm ESET.

One of the two Windows zero-day vulnerabilities fixed by Microsoft with its July 2019 Patch Tuesday updates was used by a threat group known as Buhtrap to target a government organization in Eastern Europe, according to cybersecurity firm ESET.

The flaw, tracked as CVE-2019-1132, is a privilege escalation issue related to how the Win32k component handles objects in memory. It can be exploited to execute arbitrary code in kernel mode, but it only appears to affect older versions of Windows, such as Windows 7 and Server 2008.

ESET, which informed Microsoft of the vulnerability and the attacks exploiting it, has released a blog post containing technical information on CVE-2019-1132. The company says the exploit created by Buhtrap relies on popup menu objects, a technique that has been used for several vulnerabilities in recent years. According to ESET, the exploit for CVE-2019-1132 uses techniques very similar to the exploit for CVE-2017-0263, a Windows zero-day patched by Microsoft in May 2017 after it was used by a Russia-linked cyberspy group.

As for the attack involving CVE-2019-1132, ESET spotted it in June after it was used to target a government institution in Eastern Europe. The Buhtrap hackers leveraged the exploit to run their malware with the highest privileges on the compromised systems.

This was the first time Buhtrap had used a zero-day vulnerability in its attacks, ESET said.

The group used decoy documents to deliver a piece of malware designed to steal passwords from email clients and browsers, and send them to a command and control (C&C) server. The malware also gave attackers full access to the compromised device.

Buhtrap has been active since at least 2014. The group initially conducted profit-driven campaigns aimed at the customers of Russian banks. In 2015, the threat actor was spotted targeting financial institutions directly by sending spear-phishing emails to their employees. Buhtrap is said to have stolen significant amounts of money during these operations, including $25 million over a six-month period from 13 Russian banks.

In 2015, the group also started launching cyber espionage operations aimed at entities in Eastern Europe and Central Asia, including government organizations. While the source code for Buhtrap’s malware was leaked in 2016, which allowed other groups to use it as well, ESET has pointed out that the hackers shifted focus before the leak and the company assesses with high confidence that the people behind the attacks on banks also targeted governments.

“While we do not know why this group has suddenly shifted targets, it is a good example of the more and more blurry lines separating pure espionage groups from the ones mostly doing crimeware. In this case, it is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” ESET said in a blog post.

The second Windows zero-day vulnerability patched by Microsoft this month, a privilege escalation issue tracked as CVE-2019-0880, was reported to the company by Resecurity. However, the firm told SecurityWeek that it only shares its findings with impacted vendors and it has refused to provide any information on the attacks involving this flaw.

Related: Windows Zero-Day Exploited in Targeted Attacks by ‘PowerPool’ Group

Related: Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.