Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/1/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Password-Stealing Trojan Now Also Attacks With Cerber Ransomware

Weaponized Microsoft Word Documents spread one-two punch via the infamous Betabot.

An old-school banking Trojan has been reincarnated as a weaponized document payload that first steals passwords and then drops ransomware.

The Betabot Trojan, which the FBI warned about in 2013, is best known as a botnet and for disabling anti-malware software and bypassing virtual machines and sandboxes on victim machines in its quest to steal passwords. But researchers at Invincea have discovered Betabot spreading via rigged documents: after it steals a victim’s browser-stored passwords, it then drops the infamous Cerber ransomware in a second phase of the attack.

Invincea says this is a first: a weaponized document that steals passwords then uses ransomware on its victims.

Patrick Belcher, senior director of threat research at Invincea, says Betabot has infected thousands of victims in this latest iteration. “We haven’t seen Betabot ever do this: doing a phishing run with the same sort of phishing Cerber was using. Instead of using just Cerber, the [attackers] are installing Betabot and then going to Cerber.”

Cerber is a ransomware tool that has caught fire in the cybercrime underground. It uses a ransomware-as-a-service model, which allows nontechnical criminals to deploy it. Cerber affiliates extorted from their victims some $195,000 in July, according to recent data from Check Point, and Cerber’s author nets around $946,000 per year, a hefty income for ransomware operations.

Why the one-two punch? Belcher says it’s all about maximizing potential profit. Once the attackers have stolen the stored passwords, they then hit the victim with Cerber ransomware in order to squeeze as much as they can out of an infected victim.

“They were really after the passwords, I think, or they would not bother to drop Betabot. But they are trying to maximize their profits for each compromised endpoint. They get an amount of value on passwords of the systems … and the second whammy is ‘pay ransom’ on top of that,” he says.

Betabot basically harvests any credentials stored in the browser cache, and in the recent campaign, infects users with a malicious macro in a Word Document posing as a resume. The user only gets infected if macros are enabled in the document either by default or manually.

Bottom line: enterprises continue to be juicy marks for phishing lures. “Our research shows that weaponized documents are six times more prevalent than running into an exploit kit,” Belcher says. Not just malicious macros, but otherwise rigged files as well, he says.

“Every business in America is being run having to open up invoices, resumes, documents, reservations … Phishing campaigns have proven to be extremely accurate in the way they are worded,” for example, he says.

Another perplexing issue, notes Belcher: if users are creating strong passwords and then storing them in their browser cache, their passwords are toast in Betabot-type password-stealing attack.

The best bet to protect against this latest Betabot-Cerber campaign—aside from practicing savvy phishing awareness--is to disable macros altogether and for users to refrain from storing any passwords.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.