Rise in data-stealing Betabot malware

Data stealing malware that has evolved significantly since its first appearance in 2012 is infecting targeted networks in an aggressive new campaign, researchers report.

The security operations team at security software firm Cybereason has detected multiple Betabot infections in the past few weeks.

The malware, which is also known as Neurevt, is a sophisticated infostealer that began as a banking Trojan, but now includes features that allow its operators to practically take over a victim’s machine, steal sensitive information and shut down more than 30 popular anti-malware products, according to Assaf Dahan, senior director of threat hunting at Cybereason.

Betabot’s main features include a browser form grabber, an FTP and mail client stealer, a robust rootkit, the ability to download additional malware, and the ability to execute commands, he wrote in blog post.

The malware also includes modules for stealing banking information, running distributed denial of service attacks, and mine cryptocurrency illicitly.

Betabot exploits an 18-year-old vulnerability in the Equation Editor tool in Microsoft Office, which was discovered and patched by Microsoft in 2017, once again underlining the importance of keeping software patches up to date.

Dahan warns that Betabot implements a wide range of self-defence mechanisms commonly found in modern malware, including anti-debugging, anti-virtual machine/sandbox, anti-disassembly and the ability to detect security products and analysis tools.

In addition, the malware has an exhaustive blacklist of file and process names, product IDs, hashes and domains from major antivirus, security and virtualisation companies.

According to Cybereason data, most of the recent Betabot infections originated from phishing campaigns that used social engineering to persuade users to download and open what appears to be a Word document that is attached to an email.

Opening the documents triggers the Equation Editor exploit (CVE-2017-11882) and executes an installer that extracts the Betabot loader and the encrypted main payload.

Betabot then attempts to communicate with its command and control servers after checking internet connectivity by sending requests to Google.com and two Microsoft sites.

Once internet connectivity is verified, Betabot send requests to its command and control servers to download additional malware.

Betabot uses several interesting persistence techniques, said Dahan, including a classic registry Autorun, and hijacks application program interfaces to hide the persistence methods from monitoring tools.

Betabot’s authors designed the malware to operate in “paranoid mode”, which means it can detect security products running on a victim’s machine, determine if it’s running in a research lab environment and identify and shut down other malware that’s on a machine, said Dahan.  

In addition to avoiding clicking links and downloading or opening attachments from unknown senders and looking for misspellings, typos and other suspicious content in emails and attachments, Dahan recommends keeping software up to date by installing Microsoft patches.

Businesses should also consider disabling the Equation Editor feature in Microsoft Office, he said.