{ "id": "c5072fbc-c32a-4c9e-960b-5ac508727256", "created_at": "2026-04-06T00:06:37.873723Z", "updated_at": "2026-04-10T13:13:09.969456Z", "deleted_at": null, "sha1_hash": "da1e5681af930382696e3ae9450227a893be438d", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 421321, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 13:50:12 UTC\r\nIn December 2015, employees from several Russian banks were targeted with spoofed emails, a common\r\ntechnique in attack campaigns. The emails were made to look like they were from the Central Bank of Russia and\r\noffered employment to their recipients. Instead of being an actual employment offer, the emails were an attempt to\r\ndeliver Trojan.Ratopak onto the target’s computer.\r\nTrojan.Ratopak was likely used because it can allow the attacker to gain control of the compromised computer and\r\nsteal information. The threat can open a back door on the computer and allow the attacker to perform a variety of\r\nactions, including logging keystrokes, retrieving clipboard data, and viewing and controlling the screen. It can also\r\nbe used to download other malicious files and tools. The narrow focus of the attacks and the use of Ratopak could\r\nbe a hint to what the attackers were after.\r\nLegitimate-looking emails\r\nThe attackers went to some effort to make the emails appear legitimate, even going as far as to register a domain\r\nvery similar to the genuine Central Bank of Russia website. The URL for the Central Bank of Russia website is\r\n“cbr.ru”, while the URL for the attacker-controlled website is “cbr.com.ru”. The link to the attacker’s site was\r\nincluded in the email sent to their victims and pointed to an archive file. Once extracted, the archive file opened a\r\nfake document and downloaded Trojan.Ratopak. We have seen Ratopak signed with stolen certificates, which can\r\nbe used to avoid detection because it makes the malware appear to come from a legitimate source. We’ve\r\npreviously seen stolen certificates used by attack groups including Black Vine and Hidden Lynx.\r\nThe emails sent out for this campaign appear to have been written by a native Russian speaker, using clean and\r\nsimple language. This is also backed up by the fact that the attackers would need to speak Russian to make use of\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-\r\n4544f0fedd6c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 6\n\nthe information stolen through Ratopak. There are no obvious errors, except for one. The name in the “From:” line\r\nof the email header differs from the signature at the end of the email. This and the “.com” in the URL are the\r\nclearest indicators that this is a fake email.\r\nFigure. Spoofed employment offer email (in Russian) with a link to Trojan.Ratopak and translation\r\nA similar email attack that also utilized Trojan.Ratopak occurred in October. We discovered that the attackers used\r\nanother domain similar to a legitimate one to host the threat, but were not able to obtain a copy of the email. The\r\nattackers used the name of a private bank and the URL again included “.com.ru” instead of “.ru”. Given the attack\r\nin December, it is very likely that the attackers spoofed their email so it appeared to come from the private bank,\r\nand then used a link or attachment from the fake banking website to download the threat onto the victim’s\r\ncomputer.\r\nNarrow, targeted attacks\r\nSymantec has identified six Russian banks that were targeted in these attacks. All of the affected computers are\r\nlocated in Russia. Of those computers, a substantial number used accounting and document management software\r\nthat allowed secure documents to be exchanged with the government for tax purposes. A common link between\r\nseveral of the victims was a piece of software created by SBIS, a Russian company that develops, among other\r\nthings, accounting and payroll applications. In URLs used by SBIS, their accounting software is referred to as\r\n“buh” (buh.sbis.ru/buh/ for example. “Buh” is the Russian term for accountant).The attackers behind these attacks\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-\r\n4544f0fedd6c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 6\n\nused “buh” in their URLs, knowing their victims would be running SBIS accounting software. By using this string\r\nin their URLs, the attackers can disguise their attack by making their activities look like normal traffic. This\r\napproach has led other researchers to label Trojan.Ratopak as “Buhtrap”\r\nCompromised computers may connect to the following domains; note the use of “buh” in several of them:\r\ngoogle997.com\r\nmicrosoft775.com\r\nnewsbuh1c.net\r\nbuh.klerk.us\r\nbuhnews.com\r\nfootball.championat.biz\r\nforum.ru-tracker.net\r\nicq.chatovod.info\r\nrss.sport-express.biz\r\nThe threat also checks the language of the compromised computer. If it isn’t Russian or Ukrainian, then the\r\nmalware stops its attack. Ratopak may also terminate and delete itself if it recognizes that it is being run on a\r\nvirtual machine or a researcher’s computer.\r\nThe attackers’ goal\r\nWhile there is no conclusive evidence of the attacker’s goal, the attacks appear to be financially motivated. The\r\nspecificity of the targets−employees at certain banks using accounting software to send the government tax\r\ninformation−certainly points towards this goal. By using Ratopak, which can open a backdoor and log keystrokes,\r\nthe attackers could position themselves to steal money, either by controlling the compromised computer or using\r\nthe employees’ stolen login credentials. Any goal beyond that, including what the attackers may have wanted with\r\ngovernment tax information, is currently unknown.\r\nConclusion\r\nTargeted emails using finely crafted social-engineering tricks have become commonplace, with an increasing\r\nnumber targeted at employees of financial institutions. While these emails sent to Russian bank employees appear\r\nto contain job offers, they only help give attackers access to the targeted computers. Users can avoid these attacks\r\nand others like them by being aware and taking the appropriate action if offered a job or service that they didn’t\r\napply for.\r\nMitigation\r\nSymantec advises caution when receiving unsolicited emails extending job offers or referencing non-existent job\r\napplications. Even if an email seems legitimate, the attackers may have gone to serious effort to disguise the fact\r\nthat it is actually fake. We also advise following these best practices:\r\nDo not open attachments or click on links in unsolicited email messages\r\nEnsure that your computer is fully patched and up to date\r\nKeep security software up to date with the latest definitions\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-\r\n4544f0fedd6c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 6\n\nProtection\r\nSymantec's Email Security products can be used to defend against email-based attacks.\r\nNorton Security, Symantec Endpoint Protection, and other Symantec security products protect users against these\r\nattacks with the following detections:\r\nAntivirus\r\nTrojan.Ratopak\r\nIntrusion prevention system\r\nSystem Infected: Trojan.Ratopak Activity\r\nTechnical details\r\nTrojan.Ratopak is delivered in a convoluted way and is a collection of several components installed in three\r\nstages.\r\nStage 1: Email\r\nThe path to Trojan.Ratopak begins with an email (Figure 1) that is sent to the victims. This email contains a link to\r\na file on the cbr.com.ru website. If the victim clicks on the link, a malicious file with downloader capabilities is\r\ndownloaded. This file has the following hash:\r\nbbac2e213bb8bafae6c6587a5bf477d3\r\nStage 2: Downloader\r\nThe downloaded file from stage 1 is a Nullsoft installer that contains obfuscated Nullsoft script.\r\nThe following decoy file is extracted from the Nullsoft installer and then opened with shellexecute:\r\n%Temp%\\vacanciya.doc\r\nThe malware then checks the default language ID using the following API:\r\nGetSystemDefaultLangID\r\nIf the language is not Russian or Ukrainian, the malware will exit and delete itself.\r\nIt checks for the following processes to determine if it is running on a virtual machine or a researcher's computer:\r\nwireshark.exe\r\nregmon.exe\r\nfilemon.exe\r\nprocmon.exe\r\nvboxservice.exe\r\nvmtoolsd.exe\r\nollydbg.exe\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-\r\n4544f0fedd6c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 6\n\nwindbg.exe\r\nsyserapp.exe\r\nx96_dbg.exe\r\nx32_dbg.exe\r\nx64_dbg.exe\r\nIf it finds any of these processes, the threat will exit and delete itself.\r\nIt checks for the following .dll files to determine if it is running on a sandbox:\r\ndbghelp.dll\r\npstorec.dll\r\nvmcheck.dll\r\nIf it finds any of these .dll files, the threat will exit and delete itself.\r\nAfter the threat passes these checks, it downloads a file from the following HTTP URL:\r\n[REDACTED]7.com/kliko/res1.cab\r\nStage 3: Trojan.Ratopak\r\nThis downloaded file from stage 2 has the following hash and is Trojan.Ratopak:\r\nf4ae5579930f20ccc41d1f8b1e417e87\r\nRatopak arrives as a Nullsoft installer containing both clean files and malicious components. Ratopak uses clean\r\napplications to launch itself. This technique is referred to as side-loading and has also been seen with\r\nBackdoor.Korplug.\r\nThe threat checks for the language ID with the following API:\r\nGetSystemDefaultLangID\r\nIf the language is not Russian, it will exit and delete itself.\r\nThe Trojan drops the following file, which is a .7z password-protected archive:\r\n%Temp%\\install.dat\r\nThe password for install.dat is 9041bU7n4R and it contains clean and malicious files. The clean files (Guide.exe\r\nand Videoconverter.exe) are executed first and then the malicious files are loaded through the side-loading\r\ntechnique.\r\nThe Trojan may then try to connect to one of the following domains to receive instructions:\r\ngoogle997.com\r\nmicrosoft775.com\r\nnewsbuh1c.net\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-\r\n4544f0fedd6c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 6\n\nSymantec has also detected the threat connecting to the following locations:\r\nbuh.klerk.us\r\nbuhnews.com\r\nfootball.championat.biz\r\nforum.ru-tracker.net\r\nicq.chatovod.info\r\nrss.sport-express.biz\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=8e498912-44f8-4ea0-ac50-4544f0fedd6c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-\r\n4544f0fedd6c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "report_names": [ "viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "threat_actors": [ { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433997, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da1e5681af930382696e3ae9450227a893be438d.pdf", "text": "https://archive.orkl.eu/da1e5681af930382696e3ae9450227a893be438d.txt", "img": "https://archive.orkl.eu/da1e5681af930382696e3ae9450227a893be438d.jpg" } }