The Betabot Trojan, which was, until now, focused on dumping and stealing passwords from the computers it targeted, has now received a ransomware upgrade.
The authors behind this recent Betabot attack stream has modified their product to be even more lucrative by installing ransomware as a second-stage payload.
The security company Invincea reports that this major change happened at the same time Betabot`s developers decided to change their distribution technique.
While before, the Trojan relied on exploit kits (EK), such as the Neutrino EK, to infect its targets, since the end of July, it shifted to spam messages. The emails have a Word file attached to them, containing malevolent macro scripts.
If the victim enables macro supports in Microsoft Office, these malicious scripts would download and launch Betabot. The Trojan operates by dumping passwords from many apps such as browsers and email clients and sending them to its Command-and-Control (C&C) server.
What differs this new spam-delivered Betabot from its older EK-relying versions is the fact that, after it steals the password, which it was after in the first place, it downloads the Cerber ransomware and starts the data encryption process.
“This marks the first time that a weaponized document with password stealing malware has called ransomware as a second stage attack.” – Invincea`s Pat Belcher says – “This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques.“