Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/1/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Password-Stealing Trojan Now Also Attacks With Cerber Ransomware

Weaponized Microsoft Word Documents spread one-two punch via the infamous Betabot.

An old-school banking Trojan has been reincarnated as a weaponized document payload that first steals passwords and then drops ransomware.

The Betabot Trojan, which the FBI warned about in 2013, is best known as a botnet and for disabling anti-malware software and bypassing virtual machines and sandboxes on victim machines in its quest to steal passwords. But researchers at Invincea have discovered Betabot spreading via rigged documents: after it steals a victim’s browser-stored passwords, it then drops the infamous Cerber ransomware in a second phase of the attack.

Invincea says this is a first: a weaponized document that steals passwords then uses ransomware on its victims.

Patrick Belcher, senior director of threat research at Invincea, says Betabot has infected thousands of victims in this latest iteration. “We haven’t seen Betabot ever do this: doing a phishing run with the same sort of phishing Cerber was using. Instead of using just Cerber, the [attackers] are installing Betabot and then going to Cerber.”

Cerber is a ransomware tool that has caught fire in the cybercrime underground. It uses a ransomware-as-a-service model, which allows nontechnical criminals to deploy it. Cerber affiliates extorted from their victims some $195,000 in July, according to recent data from Check Point, and Cerber’s author nets around $946,000 per year, a hefty income for ransomware operations.

Why the one-two punch? Belcher says it’s all about maximizing potential profit. Once the attackers have stolen the stored passwords, they then hit the victim with Cerber ransomware in order to squeeze as much as they can out of an infected victim.

“They were really after the passwords, I think, or they would not bother to drop Betabot. But they are trying to maximize their profits for each compromised endpoint. They get an amount of value on passwords of the systems … and the second whammy is ‘pay ransom’ on top of that,” he says.

Betabot basically harvests any credentials stored in the browser cache, and in the recent campaign, infects users with a malicious macro in a Word Document posing as a resume. The user only gets infected if macros are enabled in the document either by default or manually.

Bottom line: enterprises continue to be juicy marks for phishing lures. “Our research shows that weaponized documents are six times more prevalent than running into an exploit kit,” Belcher says. Not just malicious macros, but otherwise rigged files as well, he says.

“Every business in America is being run having to open up invoices, resumes, documents, reservations … Phishing campaigns have proven to be extremely accurate in the way they are worded,” for example, he says.

Another perplexing issue, notes Belcher: if users are creating strong passwords and then storing them in their browser cache, their passwords are toast in Betabot-type password-stealing attack.

The best bet to protect against this latest Betabot-Cerber campaign—aside from practicing savvy phishing awareness--is to disable macros altogether and for users to refrain from storing any passwords.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18573
PUBLISHED: 2019-08-22
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&ac...
CVE-2019-11013
PUBLISHED: 2019-08-22
Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server.
CVE-2019-11029
PUBLISHED: 2019-08-22
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Download() method of AutoUpdateService in SMServer.exe, leading to Directory Traversal. An attacker could use ..\ with this method to iterate over lists of interesting system files and download them without previous authentication. This ...
CVE-2019-11030
PUBLISHED: 2019-08-22
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which a gadget (contained in a serialized object) may ...
CVE-2019-11031
PUBLISHED: 2019-08-22
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-update feature of IDVRUpdateService2 in DVRServer.exe. An attacker can upload files with a Setup-Files action, and then execute these files with SYSTEM privileges.