14 DAY TRIAL // Betabot, a trojan usually used to dump and steal passwords from infected computers, has recently been seen installing ransomware as a second-stage payload.
The crooks behind this new wave of attacks have modified Betabot and added an extra step in an attempt to monetize their malware further.
According to a report from Invincea, this modification appeared when Betabot also changed its distribution method.
Before this, Betabot infected victims via exploit kits (EK), with a recent campaign leveraging the Neutrino EK.
Towards the end of July, Betabot's crew started leaning on spam campaigns to deliver their trojan. These spam emails contained a file attachment, a Word file modified to contain malicious macro scripts.
If the user activated macro support in Microsoft Office, the scripts would download and install Betabot. The trojan worked as usual by dumping passwords from a series of applications such as browsers and email clients and sending them to a command and control server.
What Invincea and other researchers saw differently from past EK-delivered Betabot versions was that this new variant also downloaded the Cerber ransomware after it stole the passwords.
The crooks were encrypting data on infected PCs after stealing what they were initially after.
"This marks the first time that a weaponized document with password stealing malware has called ransomware as a second stage attack," Pat Belcher of Invincea explains. "This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques."