Betabot infostealer infections spreading in the wild, researchers say

News by Rene Millman

Betabot malware has significantly evolved self-defence capabilities which is evading many corporate IT systems, experts say.

Researchers have warned about a rise in the number of detected infections caused by the Betabot malware.

According to a blog post by researchers at Cybereason, the malware isn’t new (it was first detected in 2012),  but it is aggressive and singularly focused on giving the hacker the ability to steal lots of financial information. Researchers warned that the malware shuts down more than 30 popular AV products.

Cybereason has detected multiple Betabot infections over the last few weeks. The malware began as a banking Trojan and is now packed with features that allow its operators to essentially take over a victim’s machine and steal sensitive information.

According to Assaf Dahan, senior director of threat hunting at Cybereason, the malware’s main features are the browser form grabber, an FTP and mail client stealer, a robust Userland rootkit, the ability to download additional malware and the ability to execute commands via a shell.

It can also steal banking information, run distributed denial of service attacks and mine cryptocurrency.

The malware exploits an 18-year-old vulnerability in the Equation Editor tool in Microsoft Office. The vulnerability has been around since 2000 when Equation Editor was added to Office. However, it wasn’t discovered by researchers and patched by Microsoft until 2017.

Dahan said that Betabot stands out because of its self-defence features and its exhaustive blacklist of file and process names, product IDs, hashes and domains from major antivirus, security and virtualisation companies.

The most recent infections came from phishing campaigns that used social engineering to persuade users to download and open what appears to be a Word document that is attached to an email.

Opening an infected file sets off an Equation Editor exploit (CVE-2017-11882) and runs an installer that extracts the Betabot loader and the encrypted main payload.

Once Internet connectivity is verified (by contacting Google and Microsoft websites), Betabot will send requests to its C2 servers. It then downloads other malware.

Dahan said that Betabot uses several interesting persistence techniques, such as a classic registry Autorun. It also makes extensive usage of API hooking to hide the persistence from regedit, Sysinternal’s Autoruns and other monitoring tools.  

He added that Betabot’s authors designed the malware to operate in paranoid mode.

"For example, it can detect security products running on a victim’s machine, determine if it’s running in a research lab environment and identify and shut down other malware that’s on a machine. These self-defence mechanisms are well advertised in hacking forums," he said.

He said that Betabot will attempt to detect (and in some cases disable or remove) 30 different security products by looking for process names, specific files, folders, registry keys and services. 

Dahan said that to minimise infection, users should avoid clicking links and downloading or opening attachments from unknown senders, as well as look for misspellings, typos and other suspicious content in emails and attachments and report any abnormalities to IT or information security.

Craig Parkin, associate partner at Citihub Consulting, told SC Media UK that it seems that firms are unable to either prevent or detect infection by this sophisticated Trojan.

"There are a number of things firms can do which includes looking at their patching strategy to educating their users to raise security awareness. The Trojan gains hold via known means such as false links and then seeks to manipulate users to allow it to run, all of which can be prevented by both security and user awareness training," he said.

"If businesses want to avoid this Trojan without educating its users, they will need to ensure all patching is up to date and ensure only whitelisted applications are allowed to run."

Sonicwall CEO Bill Conner told SC Media UK that organisations must patch properly to eliminate the greatest risks they face.

"However, the reality continues to be that (especially for SMBs) humans rolling patches have always been challenging because of compatibility issues and rigorous testing needed to get those patches deployed," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews