Buhtrap group uses zero‑day in latest espionage campaigns

description: The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia. However, since late 2015, we have witnessed an interesting change in its traditional targets. From a pure criminal group perpetrating cybercrime for financial gain, its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia.

publish date:

reference :

IOC Table
total 32
type value
CVE CVE-2015-2387
CVE CVE-2019-1132
domain corp-microsoft.com
domain ipv6-microsoft.org
domain secure-telemetry.net
domain services-glbdns2.com
domain hdfilm-seyret.com
FileHash-SHA1 9c3434ebdf29e5a4762afb610ea59714d8be2392
FileHash-SHA1 e0f3557ea9f2ba4f7074caa0d0cf3b187c4472ff
FileHash-SHA1 2f2640720cce2f83ca2f0633330f13651384dd6a
FileHash-SHA1 b25def9ac34f31b84062a8e8626b2f0ef589921f
FileHash-SHA1 5e662e84b62ca6bdf6d050a1a4f5db6b28fbb7c5
FileHash-SHA1 c17c335b7ddb5c8979444ec36ab668ae8e4e0a72
FileHash-SHA256 6e820b5732cd8bb95546cf39aeb6babe90cf4cc7dde675b718710babcf1740b5
FileHash-SHA256 b475f14a1ffdeaf883c73e97724544b9bba0f6c481830bd25e3ba0d0f69b9181
FileHash-SHA256 fd6c772c31da19a66283af4703d1d5072a9158d03031a4094ac2eb8dccd3d6d1
FileHash-SHA256 7c7e28254623462d0dd97aec61f7039b1fc8dcaaa6a06fb9cb52075f25b48629
FileHash-SHA256 9c2a235504003f2cc50c444c4c47b9ac3a16251d47b63313ba9d3ea7bc6011c9
FileHash-SHA256 25542d4ae765f794e56e2678e60a181ece9de530a145caea12ea1a89aa289dba
hostname win10.ipv6-microsoft.org
hostname 7812.reg0.5204.toor.win10.ipv6-microsoft.org
hostname redmond.corp-microsoft.com
hostname 7812.reg0.5267.toor.win10.ipv6-microsoft.org
hostname 7812.reg0.5173.toor.win10.ipv6-microsoft.org
hostname 7812.reg0.5314.toor.win10.ipv6-microsoft.org
hostname 7812.reg0.5361.toor.win10.ipv6-microsoft.org
hostname 7812.reg0.4621.toor.win10.ipv6-microsoft.org
URL http://redmond.corp-microsoft.com/g/help/index.php
URL https://services-glbdns2.com/FIGm6uJx0MhjJ2ImOVurJQTs0rRv5Ef2UGoSc
URL https://hdfilm-seyret.com/help/index.php
URL https://redmond.corp-microsoft.com/help/index.php
URL https://secure-telemetry.net/wp-login.php