As already mentioned in a previous article you will find hereThe Patch Tuesday Microsoft for July 2019 bears 77 defects, including some very dangerous. The first defect with a code name CVE-2019-1132, refers to the Win32k element and can theoretically be used to code. The second, which has the name CVE-2019.0880 has an influence on Windows 7 and Server 2008. In practice, it has to do with the way the splwow64 handles some calls. ESET's specialists say that zero-day Windows CVE-2019-1132 defect, gave the opportunity to a group named Buhtrap to attack targeting a governmental organization in the East of Europe.
It was the first time that Buhtrap used zero-day vulnerability to make an attack. But it was not the first time she'd ever appeared. Since 2015 has so far successfully carried out 13 attacks against financial institutions, stealing more than 1,8 billion RUB (about 27,4 million dollars). According to ESET, the team was named by the words Buhgalter (meaning an accountant in Russian) and trap - as we say trap. Its attacks have so far been in Russia and Ukraine, like the Anunak / Carbanak group.
ESET reported directly to microsoft the attack, which was based on a popup menu. They attacked using a document to promote one backdoor, which has the ability to steal information and data through a module called "grabber". The grabber is an autonomous password theft tool. Once he / she gets the codes he / she wants, he / she sends them immediately to the programmed ones servers.
The second module is more than expected by Buhtrap. An NSIS installation program, containing a legitimate application which will be destroyed to load Buhtrap's central backdoor. The lawful application abused in this case is AVZ, a free antivirus.
Still we are not in a position to know why this particular team worked in this way, but it is very likely in time to make it look again.