Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/1/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Password-Stealing Trojan Now Also Attacks With Cerber Ransomware

Weaponized Microsoft Word Documents spread one-two punch via the infamous Betabot.

An old-school banking Trojan has been reincarnated as a weaponized document payload that first steals passwords and then drops ransomware.

The Betabot Trojan, which the FBI warned about in 2013, is best known as a botnet and for disabling anti-malware software and bypassing virtual machines and sandboxes on victim machines in its quest to steal passwords. But researchers at Invincea have discovered Betabot spreading via rigged documents: after it steals a victim’s browser-stored passwords, it then drops the infamous Cerber ransomware in a second phase of the attack.

Invincea says this is a first: a weaponized document that steals passwords then uses ransomware on its victims.

Patrick Belcher, senior director of threat research at Invincea, says Betabot has infected thousands of victims in this latest iteration. “We haven’t seen Betabot ever do this: doing a phishing run with the same sort of phishing Cerber was using. Instead of using just Cerber, the [attackers] are installing Betabot and then going to Cerber.”

Cerber is a ransomware tool that has caught fire in the cybercrime underground. It uses a ransomware-as-a-service model, which allows nontechnical criminals to deploy it. Cerber affiliates extorted from their victims some $195,000 in July, according to recent data from Check Point, and Cerber’s author nets around $946,000 per year, a hefty income for ransomware operations.

Why the one-two punch? Belcher says it’s all about maximizing potential profit. Once the attackers have stolen the stored passwords, they then hit the victim with Cerber ransomware in order to squeeze as much as they can out of an infected victim.

“They were really after the passwords, I think, or they would not bother to drop Betabot. But they are trying to maximize their profits for each compromised endpoint. They get an amount of value on passwords of the systems … and the second whammy is ‘pay ransom’ on top of that,” he says.

Betabot basically harvests any credentials stored in the browser cache, and in the recent campaign, infects users with a malicious macro in a Word Document posing as a resume. The user only gets infected if macros are enabled in the document either by default or manually.

Bottom line: enterprises continue to be juicy marks for phishing lures. “Our research shows that weaponized documents are six times more prevalent than running into an exploit kit,” Belcher says. Not just malicious macros, but otherwise rigged files as well, he says.

“Every business in America is being run having to open up invoices, resumes, documents, reservations … Phishing campaigns have proven to be extremely accurate in the way they are worded,” for example, he says.

Another perplexing issue, notes Belcher: if users are creating strong passwords and then storing them in their browser cache, their passwords are toast in Betabot-type password-stealing attack.

The best bet to protect against this latest Betabot-Cerber campaign—aside from practicing savvy phishing awareness--is to disable macros altogether and for users to refrain from storing any passwords.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...