Betabot malware is back and spreads via malicious Office documents

A new campaign has been noticed spreading the Betabot trojan

Betabot malware is back and spreads via malicious Office documentsBetabot malware is a well-known cyber threat that has been noticed spreading again in 2018.

Betabot[1] malware is known since 2013 as a banking trojan and botnet. Malware hasn’t been very active during the past year. However, security researchers report that trojan is back. Currently, attackers launch the multistage attack and exploit a 17-year old vulnerability in Microsoft Equation Editor component.

The recent attack begins with malicious Microsoft Office documents (Word, Excel or PDF) that are designed to exploit CVE-2017–11882 vulnerability.[2] The flaw was discovered only last year. However, it existed since 2000 in Microsoft Equation Editor (EQNEDT32.EXE) component.

Microsoft patched this issue at the end of 2017. However, many computer users do not rush to install security updates. There’s no doubt that cyber criminals take advantage of this situation and aims at people who have insecure software on their Windows machines.

The sophisticated attack drops malware to the computer

Due to the CVE-2017–11882 vulnerability, attackers can inject OLE object into a specific RTF file that allows executing needed commands on the affected device. However, the file that is full of harmful components looks legitimate. So, users cannot suspect about possible dangers and installation of the following components:

  • inteldriverupd1.sct;
  • task.bat,
  • 2nd.bat;
  • exe.exe,
  • decoy.doc.

All of these files have a specific task in order to launch the attack and install Betabot successfully. During the first step of the attack, inteldriverupd1.sct file creates a new object with the help of Windows Script Component. This newly created item then runs task.bat script which is designed to check the block.txt file in the temp directory.

If the file is not there, the task.bat script creates it. After that, it launches 2nd.bat script and its job here is done. task.bat script deletes itself and 2nd.bat execution begins. First of all, it starts the main exe file and kills windword.exe process.

Once the word process is killed, it’s time to delete traces of the malicious activity. Therefore, 2nd.bat script deletes Resiliency directory from the registry. However, attackers take advantage of the Most Recently Used (MRU) functionality in order to keep information about last opened documents:

In this way attacker knows where file was executed and can easily copy decoy.doc to temp folder.[3]

During this procedure, the virus connects to hxxp://goog[.]com/newbuild/t.php?stats=send&thread=0 server and finally shows Decoy.doc file for the victim. Meanwhile, malware deletes the final traces and at the last attack stage, Betabot is installed on the machine.

Various versions of Betabot might be spreading

Betabot virus is known for a couple of years. The malware was not only updated several times but sold on the black market too. According to reports, anyone could obtain it for about $320 to $500.[4] However, for some hacker-wannabes it might be quite pricey.

Therefore, in 2017 cracked versions of the Betabot builder became available on the dark web for about $120, [5] even authors of the original malware applied anti-piracy filters. Therefore, currently, there might be numerous variations of the malware that is being spread via malicious spam email attachments, fake downloads or updates.

Users are advised to be attentive and follow security measures. We want to remind to be careful with unknown email attachments and install programs or their updates only from legitimate sources.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions