Buhti

Malware updated 5 months ago (2024-05-04T22:17:38.912Z)
Download STIX
Preview STIX
Buhti is a malicious software, or malware, that was first highlighted by Palo Alto Networks Unit 42 in February 2023. It is a Golang ransomware targeting Linux systems. The Buhti ransomware operation was further detailed by Symantec’s Threat Hunter Team in May of the same year. Its payload included variants of not only the leaked LockBit builder but also leaked code from the Babuk ransomware family. The operators behind Buhti, named "Blacktail" by Symantec, demonstrated a high level of competence in carrying out attacks and an ability to exploit newly discovered vulnerabilities. In 2022, the ransomware builder for LockBit 3.0 was leaked online, and two ransomware groups, Bl00dy and Buhti, quickly launched their own campaigns using this builder. The threat actors behind Buhti eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. This reuse of leaked payloads is often seen as a hallmark of less-skilled ransomware operations, but Blacktail's general competence suggests otherwise. The IBM Aspera Faspex code execution vulnerability (CVE-2022-47986) was exploited by the operators of the "IceFire" and "Buhti" ransomware to deploy malware specifically on the Linux systems of media and entertainment companies, mainly in Turkey, Iran, Pakistan, and the UAE. This bug, patched in December 2022, has been co-opted by cybercriminals in ransomware campaigns associated with Buhti and IceFire since February, shortly after the release of the proof-of-concept (PoC) exploit. Since February, the group has launched multiple attacks based on their latest ransomware campaign labeled Buhti.
Description last updated: 2024-05-04T21:41:04.611Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bl00dy Threat Actor is associated with Buhti. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant iUnspecified
2
Source Document References
Information about the Buhti Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more