ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Buhtrap, Ratopak Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Buhtrap, Ratopak Spider

NamesBuhtrap (Group-IB)
Ratopak Spider (CrowdStrike)
UAC-0008 (CERT-UA)
CountryRussia Russia
MotivationFinancial crime
First seen2015
Description(Group-IB) Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.

From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified.

Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses.

Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.

Buhtrap has some infrastructure overlap with TA505, Graceful Spider, Gold Evergreen.
ObservedSectors: Financial, Government.
Countries: Russia, Ukraine.
Tools usedBuhtrap, FlawedAmmyy, Niteris EK, NSIS.
Operations performed2014On October 20, 2014 we notified Group-IB Bot-Trek Intelligence subscribers about phishing emails which were sent from the [email protected] address with the subject “Invoice No 522375-ФЛОРЛ-14-115” (pic. 1). The domain name was also registered on October 20, 2014.
Oct 2015We noticed in late October that users visiting the Ammyy website to download the free version of its remote administrator software were being served a bundle containing not only the legitimate Remote Desktop Software Ammyy Admin, but also an NSIS (Nullsoft Scriptable Installation Software) installer ultimately intended to install the tools used by the Buhtrap gang to spy on and control their victims’ computers.
Dec 2015In December 2015, employees from several Russian banks were targeted with spoofed emails, a common technique in attack campaigns. The emails were made to look like they were from the Central Bank of Russia and offered employment to their recipients. Instead of being an actual employment offer, the emails were an attempt to deliver Trojan.Ratopak onto the target’s computer.
Sep 2016Breach of the Russian boxing site allboxing[.].ru
2017Operation “TwoBee”
Buhtrap resurfaced in the beginning of 2017 in the TwoBee campaign, where it served primarily as means of malware delivery. In March of last year, it hit the news (literally), spreading through several compromised major news outlets in whose main pages malicious actors implanted scripts. This scripts executed an exploit for Internet Explorer in visitor’s browsers.
Jun 2019Throughout our tracking, we’ve seen this group deploy its main backdoor as well as other tools against various victims, but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign. In that case, we observed Buhtrap using a local privilege escalation exploit, CVE-2019-1132, against one of its victims.

Last change to this card: 08 April 2022

Download this actor card in PDF or JSON format

Previous: Bronze Starlight
Next: Cadelle

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]