Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/1/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Password-Stealing Trojan Now Also Attacks With Cerber Ransomware

Weaponized Microsoft Word Documents spread one-two punch via the infamous Betabot.

An old-school banking Trojan has been reincarnated as a weaponized document payload that first steals passwords and then drops ransomware.

The Betabot Trojan, which the FBI warned about in 2013, is best known as a botnet and for disabling anti-malware software and bypassing virtual machines and sandboxes on victim machines in its quest to steal passwords. But researchers at Invincea have discovered Betabot spreading via rigged documents: after it steals a victim’s browser-stored passwords, it then drops the infamous Cerber ransomware in a second phase of the attack.

Invincea says this is a first: a weaponized document that steals passwords then uses ransomware on its victims.

Patrick Belcher, senior director of threat research at Invincea, says Betabot has infected thousands of victims in this latest iteration. “We haven’t seen Betabot ever do this: doing a phishing run with the same sort of phishing Cerber was using. Instead of using just Cerber, the [attackers] are installing Betabot and then going to Cerber.”

Cerber is a ransomware tool that has caught fire in the cybercrime underground. It uses a ransomware-as-a-service model, which allows nontechnical criminals to deploy it. Cerber affiliates extorted from their victims some $195,000 in July, according to recent data from Check Point, and Cerber’s author nets around $946,000 per year, a hefty income for ransomware operations.

Why the one-two punch? Belcher says it’s all about maximizing potential profit. Once the attackers have stolen the stored passwords, they then hit the victim with Cerber ransomware in order to squeeze as much as they can out of an infected victim.

“They were really after the passwords, I think, or they would not bother to drop Betabot. But they are trying to maximize their profits for each compromised endpoint. They get an amount of value on passwords of the systems … and the second whammy is ‘pay ransom’ on top of that,” he says.

Betabot basically harvests any credentials stored in the browser cache, and in the recent campaign, infects users with a malicious macro in a Word Document posing as a resume. The user only gets infected if macros are enabled in the document either by default or manually.

Bottom line: enterprises continue to be juicy marks for phishing lures. “Our research shows that weaponized documents are six times more prevalent than running into an exploit kit,” Belcher says. Not just malicious macros, but otherwise rigged files as well, he says.

“Every business in America is being run having to open up invoices, resumes, documents, reservations … Phishing campaigns have proven to be extremely accurate in the way they are worded,” for example, he says.

Another perplexing issue, notes Belcher: if users are creating strong passwords and then storing them in their browser cache, their passwords are toast in Betabot-type password-stealing attack.

The best bet to protect against this latest Betabot-Cerber campaign—aside from practicing savvy phishing awareness--is to disable macros altogether and for users to refrain from storing any passwords.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.