In our recent blog, we talked about the delivery of Buhtrap by using compromised website and a recent web exploit. On this blog, we will focus on the second stage payload and the state of Buhtrap operation.

The Buhtrap downloader employs checks before it will infect a system. First, the system must have banking processes or banking software running, mostly Russian. Or the system must have an indication that it is visiting any Russian banks defined on its list.

If the system meets any of the 2 requirements above, it will download and execute the next stage malicious payload, otherwise, it will download a benign sample.

Technical Analysis of Second Stage Payload


The 2nd stage payload is an NSIS compiled sample as seen on previous Buhtrap samples. This is one way Buhtrap is trying to evade AV detection by disguising as an installer. NSIS is an open source software widely used in installers. Recently, we are seeing a trend where ransomware are adapting this method as the case with Locky and Cerber.

The sample is also digitally signed with a valid digital certificate and also contains file properties and versions.




Inside the NSIS package is a 7zip password protected archive. This is where all its components are stored. With this, a command line 7zip tool is also included in the package to unzip the component files. The password is hardcoded on the NSIS script and the password is different from other Buhtrap samples we have seen. For this sample, the password is “p2DP9ENv5bK”. It also modifies the timestamp of the file using a custom file utility FileTouch.exe which is basically similar to the touch utility in Linux

Below are snippets of the NSIS script that we extracted:




We executed the file on our box but we found that it did not do anything. Inspecting the NSIS script reveals that it is checking if the system language is Russian via GetSystemDefaultLangID.




We hooked this API and forced the malware to think we are in a Russian system.



After-which, the following commands and processes were monitored:

attrib  -h -s -r “C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno”

7za.exe  x -p2DP9ENv5bK install.dat dev2055.tmp -aoa

7za.exe  x -p2DP9ENv5bK dev2055.tmp -aoa -o8992023.tmp

7za.exe  x -p2DP9ENv5bK install.dat FileTouch.exe -aoa



As shown above, the malware components are extracted into  “%AppData%\Microsoft\Zerno”. Then zerno.exe was executed. The Zerno folder has the following files:


From these files, only the files zerno.exe and msvcr71.dll are malicious. The other files are benign files which are part of Notepad++ software. This is an attempt to obscure its malicious behavior as it tries to pretend to be a legitimate Notepad++ installer.

For persistence, it creates a shortcut link in the start-up folder that will launch zerno.exe at every startup.



What Does this Malware Do?

The main executable is zerno.exe and interestingly its only job is to launch the msvcr71.dll library which performs all the malicious behavior.


This is where all the malicious routines are compiled. This is a trojan-spyware which has the following functions:

  • Keylogger
  • Get System Info
  • Read Smart Card Info
  • Downloader


The keylogger thread creates an invisible window procedure and retrieves and handles the messages. It logs this information into “uninstall.log” located in %temp% folder. 


The following snapshot illustrates how it implemented the keylogger routine.




Smart Card Reader

One of its interesting payloads is to read smart card information. It lists available smart card readers and their status by using “WinSCard.dll” APIs:




It does not actually read what is in the smart card only determine their status. It logs all these information in “uninstall.log”



It is also capable of downloading additional malware from its CnC server. Another interesting feature of this malware is that it is capable of diskless loading by checking on the response from the server. The first 2 bytes are checked, If the downloaded file starts with ‘MZ’ (0x5A4D), it writes the file into %temp% folder and executes it. If the response starts with “LD” (0x444c), it will only load the malware into the memory.




Diskless Loading



CnC server

It communicates with its CnC server “” via HTTP Post. All communication we observed is encrypted.



State of Buhtrap Operation


As stated in our previous blog, the IP of is We looked into the domain history of this IP and found some interesting information about the current state of Buhtrap.


Domain Last Resolved 5/10/2016 5/13/2016 5/14/2016 5/22/2016 6/7/2016 7/2/2016 7/2/2016 7/11/2016 7/28/2016 8/9/2016 8/17/2016 9/14/2016 9/28/2016


From the history of the domains, it appears they have used this IP from May to September, 2016. But it’s very possible that they are still using the same IP for their operation. If we look into the details of each domain, we can find presence of multiple samples, although with different behavior, but appears related to Buhtrap operation. For instance, 5 samples that were downloaded from differ in behavior from the sample we described in this blog. Those samples are detected by Kaspersky as “Trojan.Win32.Karamanak”, which is also their detection for the sample in this blog.

As seen on the domains, they are also using domain names related to Chrome, Adobe or popular graphics software as a way to stay low.

Using this domain the actors started using CVE-2016-0189 as their method of infection. In fact, they used the same binary exploits found in the github repository of offensive security. The following are the files downloaded in this domain:




A similar NSIS compiled payload was downloaded on this domain.



Also, the following files appearing as installers connects to this domain

Md5 Filename signer
2530a11c4fa57fd3f9cdc30c8fd40878 Shockwave_setup.exe LLC LVIV IT!
ead9344c8022e0479ebe272472d6197a chrome_update_win.exe Bit-Trejd
fda920b3d72728f6a89672e07a900c70 chrome_update.exe LLC LVIV IT!
e5f01322da2b6cda707a8135c7320b79 shockwave_setup_winax.exe Bit-Trejd


The samples we have seen from are the same samples we found on




It appears based on this research that the actors are using patterns in their attack and they are as follows:

  • Using digitally signed malware
  • Using NSIS and hiding their components in a password protected archive
  • Using domains that are similar to popular softwares, eg. adobe, chrome
  • Constantly changing their CnC domain but using the same IP


It is also evident that the actors are still very active. They are clever enough not to infect systems that are not their target which allows them to stay under the radar for as long as possible. These Tactics Techniques and Procedures are the hallmark of Advanced Persistent Threats groups.


Analysis by Dhruval Gandhi & Paul Kimayong.