RansomHub affiliate leverages multi-function Betruger backdoor
A RansomHub affiliate is leveraging a new multi-function backdoor dubbed Betruger to perform various actions during their attacks, Symantec researchers have discovered.
The Betruger backdoor
The malware can take screenshots, log keystroke, scan networks, dump credentials, upload files to a command and control (C2) server, as well as be leveraged for privilege escalation.
“Betruger was found while investigating an attempted attack. From there we found another case where it was used,” Dick O’Brien, Principal Intelligence Analyst with the Symantec Threat Hunter Team by Broadcom, told Help Net Security.
“The limited number of attacks it has been used in suggests that it may have only been used by one affiliate, but who it was developed by is an open question.”
The likely impetus for using a multi-function backdoor like Betruger is to allow attackers reduce their dwell time on target networks: instead of dropping several tools, they can just drop one.
Whether this malware will make the attack more “noisy” remains to be seen. After all, using malware can be a bit more conspicuous than using legitimate tools (e.g., remote monitoring and management software).
The attackers made the effort to masquerade the backdoor as a legitimate application, though, with file names such as mailer.exe and turbomailer.exe.
Ransomhub affiliates’ toolkit
RansomHub is a ransomware-as-a-service operation that has been extremely active in the last year.
“The group has reportedly won over many affiliates by offering them better terms compared to rival operations, such as a great percentage of ransom payments and a payment model where the affiliate is paid by the victim before passing on the operator’s cut,” Symantec researchers noted.
“Betruger is just one of a range of tools that have been used by RansomHub affiliates in recent months. Like a growing number of ransomware attackers, some have begun using tools that leverage the Bring Your Own Vulnerable Driver (BYVOD) technique to disable security solutions, most notably EDRKillshifter.”
Among the tools known to be in their arsenal are:
- Impacket (for remote service execution, Kerberos manipulation, Windows credential dumping, etc.)
- Stowaway Proxy Tool (for proxying network traffic)
- Rclone (for data exfiltration)
- Mimikatz (for credential dumping)
- ScreenConnect, Atera, Splashtop and TightVNC (for remote access to target computers)
- NetScan (for host name and network service discovery)
- SystemBC (a commodity backdoor for C2 communication).
They’ve also been spotted exploiting CVE-2022-24521 for privilege escalation and CVE-2023-27532 for obtaining credentials for accessing targets’ backup infrastructure.
Symantec has shared indicators of compromise associated with the latest RansomHub attacks.