The Betabot malware that has been well-known for security experts and victims as a banking Trojan now delivers the Cerber ransomware payload.
Betabot and Cerber Now Go Hand in Hand
Betabot is one of the most well-known banking Trojans. It is a malware that steals banking credentials and connects the target victim to a botnet. The newest iteration of Botnet has been found to deliver ransomware, namely the Cerber variant. This combination is the first known malware that both steals passwords and delivers ransomware as a second stage attack.
The Betabot Trojan has some unique features among other threats that can be used to effectively infect computer systems. The malware developers have developed a virtual machine and sandboxing detection. This feature allows the Trojan to evade detection by some anti-virus software solutions. Last week the newest iteration of Betabot was delivered by the Neutrino Exploit Kit used by malicious users.
Betabot spreads through infected document attachments in spam email campaigns. The messages are counterfeit resumes that use social engineering approaches to lure the victims into enabling the macros. Upon execution, Betabot scans the local computer to ensure that it is not a virtual machine or a sandbox instance. All passwords stored in the local browsers are then sent out to the attackers. Betabot also can harvest user credentials from other applications such as email clients and other business software that are also sent to the remote C&C server.
Once the Trojan has completed the first stage attack, then it continues to download the Cerber ransomware payload. According to security researchers, this is the first time that a high damage malware has been executed against targets. The developers of the Trojan clearly want to maximize their profits, first by stealing all stored account credentials and then by extorting them with the ransomware payload. A single IP address has been identified that delivers the attacks, and the new iteration of Betabot has begun operation on August 16 this year.
The distribution method of the Betabot code is through the Neutrino Exploit Kit. This is one of the many malicious tools that are used by computer criminals. These are modular software packages containing various exploits and payloads such as Trojans and ransomware that compromise found vulnerabilities on target machines and networks. The exploit kits are made to run in an automated fashion and are one of the major tools in a hacker’s arsenal.
It will not be a surprise to anyone if other Betabot payloads are distributed over the next weeks with different disguises. Betabot can be a formidable enemy to every business as every company operates with a lot of documents such as invoices and reservations. If the criminals inject the malware code and distribute it through campaigns or other means to large tackets, then we may very well see the next big ransomware attack. The fact that this Trojan also steals account credentials makes it an even bigger danger.
Fortunately, the malicious code is executed only when the user activates the macro, so security policies must be followed. Do not open any untrusted files unless they are scanned by updated anti-virus software.