Security News Betabot Trojan Steals Your Passwords and Then Installs Ransomware

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Betabot, a trojan usually used to dump and steal passwords from infected computers, has been seen recently installing ransomware as a second-stage payload.

The crooks behind this new wave of attacks have modified Betabot and added an extra step in an attempt to monetize their malware further.

According to a report from Invincea, this modification appeared when Betabot also changed its distribution method.

Before this, Betabot infected victims via exploit kits (EK), with a recent campaign leveraging the Neutrino EK.

Towards the end of July, Betabot's crew started leaning on spam campaigns to deliver their trojan. These spam emails contained a file attachment, a Word file modified to contain malicious macro scripts.

If the user activated macro support in Microsoft Office, the scripts would download and install Betabot. The trojan worked as usual by dumping passwords from a series of applications such as browsers and email clients and sending them to a command and control server.

What Invincea and other researchers saw differently from past EK-delivered Betabot versions was that this new variant also downloaded the Cerber ransomware after it stole the passwords.

The crooks were encrypting data on infected PCs after stealing what they were initially after.

"This marks the first time that a weaponized document with password stealing malware has called ransomware as a second stage attack," Pat Belcher of Invincea explains. "This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top