A banking trojan packing anti-malware evasion techniques that features an exhaustive blacklist of security software.Cybereason researchers have spotted multiple Betabot, aka Neurevt, infections over the past few weeks and have noted the malware has now been packed with features that allow its operators to practically take over a victim’s machine to steal sensitive information, according to an Oct. 3 blog post.“Other programs remove malware and bots that are already on a person’s machine, eliminating the competition with heuristic approaches that would put many security products to shame,” researchers said in the post.“Betabot stands out because it implements all of these self-defense features and has an exhaustive blacklist of file and process names, product IDs, hashes and domains from major antivirus, security and virtualization companies.”
The malware has been active since late 2012and began as just a banking trojan but the most recent version include browsers form grabber, FTP and mail client stealer, banker modules, and running DDoS attacks.BankingTrojanThe trojan also uses a USB infection module, Robust Userland Rootkit (x86/x64), arbitrary command execution via shell, the ability to download additional malware, persistence, and a crypto-currency miner module.Betabot spreads by exploiting an 18-year-old zero-day vulnerability in the Equation Editor tool in Microsoft Office that wasn’t discovered and patched by Microsoft until 2017. Infections are spread via phishing campaigns which leverage social engineering to convince victims to download what appears to be a Word document email attachment.The malware also uses interesting persistence techniques one of which was implemented via Windows Task Scheduler and was observed in some infections. Researchers also noted infections which used a simple registry Autorun.The malware’s authors designed the souped-up trojan to operate in “paranoid mode” as it can detect security products running on a victim’s device and if it detects that it is running in a sandbox environment it will shut down the malware to prevent examination.Those looking to prevent infection are advised to minimized their risks by avoiding to click links or download or open attachments from unknown sender, lookout for typos, and misspellings or other suspicious content in emails and attachments and to report any suspicious or abnormalities to IR or information security.
Newly emergent artificial intelligence-based presentation tool Gamma has been exploited in multi-stage phishing attacks involving redirections to fake Microsoft login pages, reports The Hacker News.
Organizations across Europe are having their Windows systems compromised with the BRICKSTORM backdoor linked to Chinese state-backed threat operation UNC5221 as part of a cyberespionage campaign that commenced three years ago, Infosecurity Magazine reports.
Novel BPFDoor backdoor component facilitates covert attacks Attacks involving a novel controller linked to the BPFDoor malware have been launched by the Earth Bluecrow threat operation, also known as Red Menshen, DecisiveArchitect, and Red Dev 18, against the Linux systems of telecommunications, finance, and retail organizations in Hong Kong, South Korea, Malaysia, Mynanmar, and Egypt last year, according to The Hacker News.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
