ESET Research announced two days ago, that they have discovered the existence of a malware campaign focused on targeting Russian Business. ESET Research is a anti-malware software vendor located in Slovakia.
According to ESET Research “Late in 2004, we noticed and started to track an undocumented malicious campaign targeting Russian businesses, and that has been active for well over a year. The malware used in this campaign is a mix of off-the-shelf tools, NSIS-packed malware and bespoke spyware that abuses Yandex’s Punto software, a program for Russian users which silently and automatically changes the keyboard language depending on what the user is typing. Once the cybercriminals have compromised a computer, they use custom tools to analyze its content, install a backdoor and finally deploy a malicious module that spies on the system and can enumerate smart cards.
The campaign targets a wide range of Russian banks, used several different code signing certificates and implements evasive methods to avoid detection. As explained later, we believe this campaign is financially-motivated and that it targets accounting departments in Russian businesses. Operation Buhtrap is a mix of two words: “Buhgalter” and “trap”. “Buhgalter” means “accountant” in Russian.”
The attack vector consists of Microsoft Word documents sent as email attachments that exploit CVE-2012-0158, a vulnerability in Microsoft Word that was patched three years ago.