A new variant of the Betabot malware has made the scene, just in time to capitalize on the current craze of using weaponized documents for distribution. In its latest form, it has added ransomware capabilities to its already formidable list of the bad things it can do.
“Betabot has been around for years in multiple forms as a banking, information-stealing Trojan, a password-stealing Trojan and as a botnet,” explained researchers at Invincea, in an analysis. “Despite being an old-school exploit, Betabot is breaking new ground. It is now the first known weaponized document with password-stealing malware that has also called ransomware as a second stage attack.”
First, Betabot scrapes all passwords stored in all local browsers from the victim’s machine. These could include passwords for social media, online email accounts, entertainment streaming accounts like Hulu or Netflix, work-related passwords to enterprise resources like the intranet, timekeeping, payroll, proxies or VPNs and more. Then it launches the next wave of maliciousness.
“Once the passwords are stolen, the Betabot has no further use for the endpoint,” the researchers said. “So in an effort to make more cash than the $185 the passwords may fetch, it downloads and runs the Cerber ransomware.”
The researchers said that Betabot is aware of virtual machines and some sandboxes as technique to evade detection and analysis. A shift in tactics in just the last week or so has it moving from being delivered using the Neutrino Exploit Kit to being delivered via email.
Weaponized document attachments are sent in broad email campaigns to infect thousands of victims. The weaponized documents arrive in a victim’s inbox posing as resumés, asking the victim to enable macros. Once those macros are enabled, the malware enumerates the local system to ensure it is not in a VM or sandbox.
“This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques,” the researchers said.
As far as mitigation, being vigilant about social engineering attempts and protecting the endpoint with antivirus software should be critical first defenses.
Photo © jirawatfoto