Kaspersky Lab's experts found a malicious code on the portal of one of the well-known Russian media, resulting in infection with the banking Trojan Buhtrap.
The first wave of attacks researchers recorded at the end of March 2018. Since then, the attackers have updated and improved their arsenal. If the previously malicious script was contained only on the main pages of news resources, then in the current campaign the site was infected entirely. The code is obfuscated and implemented on the server side.
Like in the spring, a visitor to a compromised portal is stealthily redirected to a malicious page. However, instead of the old Internet Explorer vulnerability, cybercriminals exploit the recently closed CVE-2018-8174 gap. With its help, attackers can execute a third-party code on behalf of the active user and obtain similar rights on the device.
Exploit for this bug criminals, like last time, copied from the web and almost not changed. Only the shell script responsible for the initial stage of delivering the payload turned out to be rewritten.
After successful penetration into the system, attackers try to increase their privileges through another relatively recent bug - CVE-2018-8120. The vulnerability lies in the Win32k component and allows attackers to execute arbitrary code at the kernel level, install third-party software and create full-fledged accounts.
To complicate the detection and analysis of the campaign, all stages of infection are again performed through the secure HTTPS protocol. For this, the criminals got free TLS-certificates Let's Encrypt.
The Buhtrap is a modular Trojan that can perform various spyware functions and provide attackers with control over the infected device. The first versions of the malware appeared as early as 2014, at various times it spread through spam mailing and disappeared under the guise of a legitimate plug-in. Recently, the Buhtrap source code has been publicly available on the Internet. Attached to it were detailed instructions, as well as contacts of IB banking experts.