In my previous blog about password stealing malware, we discussed how Pony malware steals passwords and is as big and rampant across the internet as any single ransomware family. Now along comes Betabot to capitalize on the current craze of using weaponized documents for distribution. Betabot has been around for years in multiple forms as a banking information stealing Trojan, a password stealing Trojan, and as a botnet. Despite being an old school exploit, Betabot is breaking new ground. It is now the first known weaponized document with password stealing malware that has also called ransomware as a second stage attack.
Background and Analysis
Betabot is aware of virtual machines and some sandboxes as technique to evade detection and analysis. As recently as last week, Betabot was delivered by the Neutrino Exploit Kit.
Figure 1: @BroadAnalysis Tweet showing Betabot dropped by Neutrino EK on July 20
Just days later, Invincea began to see Betabot use weaponized document attachments in broad email campaigns to infect thousands of victims. The weaponized documents arrive in a victim’s inbox posing as resumes, asking the victim to enable macros. Once those macros are enabled, the malware enumerates the local system to ensure it is not in a VM or sandbox, and then scrapes all passwords stored in all local browsers. An online sandbox analysis of a recent Betabot weaponized document attack can be viewed at Malwr.
The screenshot below shows the Invincea forensics logs of the Betabot attack.
Figure 2: Invincea logs showing weaponized resume and dropped Betabot Binaries
Once the passwords are stolen, the Betabot has no further use for the endpoint. So in an effort to make more cash than the $185 the passwords may fetch, it downloads and runs the Cerber ransomware according to several malware researchers.
Figure 3: Malware researcher @CyberScimitar showing Betabot also downloading Cerber ransomware
The IP used for both Betabot and Cerber is 93[.]174.91.49. A virustotal report on this IP provides additional details here. A screenshot below highlights the multiple filenames used between Betabot in yellow and Cerber in blue.
Figure 4: Server IP used to download both Betabot and Cerber malware
By searching by attachment name of resume.doc in the Invincea Management Server, we can see where these weaponized documents switched from delivering Cerber to Betabot. Betabot weaponized documents have been observed to deliver bb.exe (bb denoting betabot), bbcrypt.exe, and diablo.exe.
Figure 5: Weaponized resumes switched from Cerber to Betabot in mid-August.
This marks the first time that a weaponized document with password stealing malware has called ransomware as a second stage attack. This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques.