Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/1/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Password-Stealing Trojan Now Also Attacks With Cerber Ransomware

Weaponized Microsoft Word Documents spread one-two punch via the infamous Betabot.

An old-school banking Trojan has been reincarnated as a weaponized document payload that first steals passwords and then drops ransomware.

The Betabot Trojan, which the FBI warned about in 2013, is best known as a botnet and for disabling anti-malware software and bypassing virtual machines and sandboxes on victim machines in its quest to steal passwords. But researchers at Invincea have discovered Betabot spreading via rigged documents: after it steals a victim’s browser-stored passwords, it then drops the infamous Cerber ransomware in a second phase of the attack.

Invincea says this is a first: a weaponized document that steals passwords then uses ransomware on its victims.

Patrick Belcher, senior director of threat research at Invincea, says Betabot has infected thousands of victims in this latest iteration. “We haven’t seen Betabot ever do this: doing a phishing run with the same sort of phishing Cerber was using. Instead of using just Cerber, the [attackers] are installing Betabot and then going to Cerber.”

Cerber is a ransomware tool that has caught fire in the cybercrime underground. It uses a ransomware-as-a-service model, which allows nontechnical criminals to deploy it. Cerber affiliates extorted from their victims some $195,000 in July, according to recent data from Check Point, and Cerber’s author nets around $946,000 per year, a hefty income for ransomware operations.

Why the one-two punch? Belcher says it’s all about maximizing potential profit. Once the attackers have stolen the stored passwords, they then hit the victim with Cerber ransomware in order to squeeze as much as they can out of an infected victim.

“They were really after the passwords, I think, or they would not bother to drop Betabot. But they are trying to maximize their profits for each compromised endpoint. They get an amount of value on passwords of the systems … and the second whammy is ‘pay ransom’ on top of that,” he says.

Betabot basically harvests any credentials stored in the browser cache, and in the recent campaign, infects users with a malicious macro in a Word Document posing as a resume. The user only gets infected if macros are enabled in the document either by default or manually.

Bottom line: enterprises continue to be juicy marks for phishing lures. “Our research shows that weaponized documents are six times more prevalent than running into an exploit kit,” Belcher says. Not just malicious macros, but otherwise rigged files as well, he says.

“Every business in America is being run having to open up invoices, resumes, documents, reservations … Phishing campaigns have proven to be extremely accurate in the way they are worded,” for example, he says.

Another perplexing issue, notes Belcher: if users are creating strong passwords and then storing them in their browser cache, their passwords are toast in Betabot-type password-stealing attack.

The best bet to protect against this latest Betabot-Cerber campaign—aside from practicing savvy phishing awareness--is to disable macros altogether and for users to refrain from storing any passwords.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.