Betabot Trojan’s Twin Activity Involves Stealing Passwords, Installing Ransomware

A banking Trojan of the conventional type is now in a new incarnation that first captures passwords following which it installs a ransomware. In 2013, Federal Bureau of Investigation had cautioned about this Trojan known as Betabot that at best works through a botnet to destabilize anti-malware programs as well as get past sandboxes and virtual machines when it tries to steal the victimized user's passwords. Nevertheless, according to researchers at security firm Invincea, Betabot proliferates through manipulated files during when it seizes passwords from the victim's browser and subsequently plants the notorious Cerber ransom software.

Earlier, Betabot used exploit kits to infect victims as evident from one recent attack in which it utilized the Neutrino Exploit Kit. As July-end approached, Betabot controllers began using spam campaigns more often for serving their ware. Inside their spam mails, they attached one Word file that carried harmful macro scripts. Softpedia.com posted this online dated September 1, 2016.

Invincea's top threat research director Patrick Belcher states that Betabot's latest infection has spread to thousands of end-users. According to him, this behavior of Betabot is unprecedented i.e. executing certain phishing attack of the identical kind that Cerber ran. The perpetrators in their latest campaign do not just utilize Cerber; but they first plant Betabot and from there proceed to Cerber's installation.

The ransom software Cerber follows the model of ransomware-as-a-service that enables unskilled criminals handle it with ease. As per Check Point's recent data, partner controllers of Cerber exploited their victims to earn about $195,000 during July this year. Moreover annually, they net approximately $946K a rather high amount with respect to ransomware activities, Check Point indicates.

Importantly, Betabot gets downloaded and planted in case potentially victimized end-users enable their macro scripts within Microsoft Office. Thereafter, the Trojan leaks passwords related to e-mail clients and web-browsers that it then uploads onto its command-and-control (C&C) server.

In the end, the most optimum way to safeguard from the Betabot-Cerber attack scheme in addition to be dexterously aware of phishing operations is for users turning off their macros completely as well as not storing passwords like in browser caches.

» SPAMfighter News - 9/7/2016