The prolific Betabot malware was recently found being distributed in a new multi-stage attack campaign. Betabot initially appeared as a banking malware and later evolved to become a password stealer. Eventually, it was transformed into a botnet capable of delivering ransomware as well.
Over the years, Betabot has been upgraded several times to add new functionalities. According to a security researchers at Sophos, the malware has been advertised on underground black markets and is available for purchase at around $120.
“More recently, a cracked version of the Betabot builder has been discovered that allows other cybercriminals to utilize Betabot without purchasing it from the author(s),” Sophos security researchers wrote in a blog. “As Betabot’s intended use is nefarious in nature, the existence of cracked versions of the builder indicates cybercriminals are not only targeting members of the unsuspecting public but are also engaged in activities related to hacking other malware to leverage the work of other malware authors for free. Although this is not unprecedented, the increased availability due to the utilization of a software crack often results in an increase in the malware family’s use by new parties.”
According to independent security researcher Wojciech, the new campaign involves a malicious Microsoft Word document attempting to exploit a 17-year-old vulnerability. The flaw appeared in the Microsoft Equation Editor in November 2000 but was only discovered in 2017, following which Microsoft manually patched it.
As part of the recent attack, Betabot’s operators embedded an OLE object into a customised RTF file to execute commands on the infected system. The embedded objects pose as legitimate software, which helps the malware gain victims’ trust.
“What is also interesting, there are many embedded images in resources of the file. All images contain noisy pixels, besides one of them, which looks like legitimate poster of movie night in Bucharest, with name “Key0”. Noisy pictures will be used in next stage but purpose of the poster is still unknown,” Wojciech wrote in a blog.
The last stage of the attack involves a new version of Betabot being deployed. The new variant contains anti-debugging and anti-virtualization features, which were likely added to help the malware make more money.
“Sometimes even known samples can make some troubles because of various ways of packing, encrypting or encoding. It takes more time to understand exactly how it operates and what kind of cause it can make,” Wojciech noted.