Betabot Trojan Reborn in New Sophisticated Form

  /     /     /  
Publicated : 22/11/2024   Category : security


Betabot Trojan Reborn in New Sophisticated Form


As far as malware goes, the Betabot Trojan has gone through several different incarnations. However, its latest form might be the most sophisticated and laying the groundwork for an even larger attack.



In malware, everything old becomes new again. An exploit may work for a time and then be mitigated, but that doesnt stop threat actors from later trying it again in a different form.
So it is with the Betabot Trojan. It was first a banking Trojan that evolved into a password stealer. Mutations along the way turned it into botnet capable of distributing malicious programs.
However, it has now changed again,
security researcher Wojciech
notes in an recent article.
What it has done in this latest phase is try and exploit
CVE-2017–11882
, a decades-old vulnerability in Windows Equation Editor that was patched in November 2017. The idea is that Betabot embeds an Object Linking and Embedding (OLE) object into a specially crafted RTF file that is attached to a Word document in order to execute commands on the victims system.
(Source:
Flickr
)
The embedded objects (inteldriverupd1.sct, task.bat, decoy.doc, exe.exe, and 2nd.bat) all look legitimate to the victim, which helps the social engineering part of the attack. Wojciech writes that inteldriverupd1.sct allows the attacker to take advantage of the Windows Script Component. It then is able to create a new object, which will go and run the task.bat script.
Task.bat will check for presence of a block.txt file in the temp directory. If the file does not exist, the script will create it. At the end of the script, it starts 2nd.bat and then deletes itself.
The last of the preliminary stages is executing the 2nd.bat script. It first starts the main exe file and then kills the Word process (winword.exe). After that, Wojciech found that it deletes the Resiliency directory from registry -- for every version -- to hide its own tracks and prevent recovery of the document.
Now, it starts to execute what it really wants. First, a connection is made to hxxp://goog[.]com/newbuild/t.php?stats=send&thread=0, where it gets exe.exe.
Exe.exe has multiple layers of obfuscation in it, including embedded images that are noisy, which it then uses for the data to construct its true executable.
It also does function checks for processes (vmacthlp, vmtools, vboxservice). Should one of them be running, it will terminate.
Now entering its fifth year, the
2020 Vision Executive Summit
is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.
After the new Betabot variant has been constructed from all this multistage effort, the real fun starts.
After the initial web connection is made, the malware goes through a few redirects (hxxp://sharesale[.]com for one) and ends up at hxxp://shirtbattle[.]com. It seems that the main C&C is at hxxp://onedriveservice[.]com, however.
Betabot is then let loose to burn and pillage the villagers.
The newest exploit bears watching because of all the care that goes into getting it launched and running. Hiding its tracks and its methods suggests that another payload besides Betabot could be downloaded from the C&C server if the threat actor desired.
Related posts:
Trojan Campaign Uses US & North Korea Summit to Lure Victims
BackSwap Banking Trojan Shows How Malware Evolves
Quant Loader Trojan Hiding in Email File Extensions
Roaming Mantis Android Malware Expands Its Reach to iOS, Cryptomining
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Betabot Trojan Reborn in New Sophisticated Form