Betabot steals passwords, downloads ransomware

The infamous and ever-changing Betabot information-stealing Trojan is back again, and has been observed downloading another well-known threat – the Cerber ransomware.

Of course, before doing that, Betabot does its own routine, and slurps all passwords stored in all local browsers.

Weaponized resumes

According to Patrick Belcher, Senior Director of Threat Research at Invincea, Betabot was first being delivered to unsuspecting users via the Neutrino Exploit Kit.

Lately, though, the meticulous crooks behind this scheme have also begun disguising it as a resume, and sending it to the victims in broad email campaigns.

If they open it, the weaponized document asks the victim to enable macros. If they do, they trigger the download of the Betabot malware. Betabot first checks whether the target system is a virtual machine or sandbox, and if it’s not, it starts stealing the passwords.

Once it finishes, it simply downloads a Cerber variant from the same server, and lets it loose on the system.

Ransomware by itself is a headache, but in combination with other threats is a migraine. Luckily, it doesn’t come often: a fake AV and ransomware double whammy was flagged three years ago, and earlier this month a ransomware/RAT combo was spotted searching for solvent Russian businesses.

“This marks the first time that a weaponized document with password stealing malware has called ransomware as a second stage attack. This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques,” Belcher noted.

Invincea has shared indicators of compromise, but warns that both hashes and filenames expected to change frequently, so their usefulness is limited.