Security Experts:

Connect with us

Hi, what are you looking for?



Buhtrap Group Used Windows Zero-Day in Government Attack

One of the two Windows zero-day vulnerabilities fixed by Microsoft with its July 2019 Patch Tuesday updates was used by a threat group known as Buhtrap to target a government organization in Eastern Europe, according to cybersecurity firm ESET.

One of the two Windows zero-day vulnerabilities fixed by Microsoft with its July 2019 Patch Tuesday updates was used by a threat group known as Buhtrap to target a government organization in Eastern Europe, according to cybersecurity firm ESET.

The flaw, tracked as CVE-2019-1132, is a privilege escalation issue related to how the Win32k component handles objects in memory. It can be exploited to execute arbitrary code in kernel mode, but it only appears to affect older versions of Windows, such as Windows 7 and Server 2008.

ESET, which informed Microsoft of the vulnerability and the attacks exploiting it, has released a blog post containing technical information on CVE-2019-1132. The company says the exploit created by Buhtrap relies on popup menu objects, a technique that has been used for several vulnerabilities in recent years. According to ESET, the exploit for CVE-2019-1132 uses techniques very similar to the exploit for CVE-2017-0263, a Windows zero-day patched by Microsoft in May 2017 after it was used by a Russia-linked cyberspy group.

As for the attack involving CVE-2019-1132, ESET spotted it in June after it was used to target a government institution in Eastern Europe. The Buhtrap hackers leveraged the exploit to run their malware with the highest privileges on the compromised systems.

This was the first time Buhtrap had used a zero-day vulnerability in its attacks, ESET said.

The group used decoy documents to deliver a piece of malware designed to steal passwords from email clients and browsers, and send them to a command and control (C&C) server. The malware also gave attackers full access to the compromised device.

Buhtrap has been active since at least 2014. The group initially conducted profit-driven campaigns aimed at the customers of Russian banks. In 2015, the threat actor was spotted targeting financial institutions directly by sending spear-phishing emails to their employees. Buhtrap is said to have stolen significant amounts of money during these operations, including $25 million over a six-month period from 13 Russian banks.

In 2015, the group also started launching cyber espionage operations aimed at entities in Eastern Europe and Central Asia, including government organizations. While the source code for Buhtrap’s malware was leaked in 2016, which allowed other groups to use it as well, ESET has pointed out that the hackers shifted focus before the leak and the company assesses with high confidence that the people behind the attacks on banks also targeted governments.

“While we do not know why this group has suddenly shifted targets, it is a good example of the more and more blurry lines separating pure espionage groups from the ones mostly doing crimeware. In this case, it is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” ESET said in a blog post.

The second Windows zero-day vulnerability patched by Microsoft this month, a privilege escalation issue tracked as CVE-2019-0880, was reported to the company by Resecurity. However, the firm told SecurityWeek that it only shares its findings with impacted vendors and it has refused to provide any information on the attacks involving this flaw.

Related: Windows Zero-Day Exploited in Targeted Attacks by ‘PowerPool’ Group

Related: Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.