In our recent blog, we talked about the delivery of Buhtrap by using compromised website and a recent web exploit. On this blog, we will focus on the second stage payload and the state of Buhtrap operation.
The Buhtrap downloader employs checks before it will infect a system. First, the system must have banking processes or banking software running, mostly Russian. Or the system must have an indication that it is visiting any Russian banks defined on its list.