Betabot Trojan Phase II: Stealing credentials and transmitting ransomwares

They do not make them like that (Betabot trojan) anymore.

If there is one thing that hackers and cyber criminals are good at, it’s coming up with new evil Betabot trojans.

But can you really blame them?

Hackers and other cyber criminals of old tried to target individuals and organizations that were small.

And weak.

But the modern web is currently experiencing a new breed of hackers and cyber criminals.

These type of hackers and cyber criminals are actually smart enough to be working for the likes of Google and Facebook.

How do we know that?

It’s simple really.

The skill and dedication it takes to launch multiple increasingly menacing cyber attacks time and time again is great.

In other words, a couch potato living in his mother’s basement can’t pull of cyber attacks of this magnitude.

The latest of these cyber attacks involve a trojan by the name of Betabot.

What Does The Betabot Trojan do?

Betabot is one form of trojan that doesn’t mess around much and gets straight to work.

What kind of work does it do exactly?

Well, it basically steals a user’s password.

After the trojan has successfully stolen the password, it continues to install ransomware on the user’s machine.

Cyber attacks carried out through the use of Betabots are classic signs of extraordinary hackers and cyber criminals.

More like money hungry hackers and crooks.

One can only hope that law enforcement agencies can keep up the pace with these criminals.

And stop their cyber attacks before they happen.

Running after hackers and shutting down servers left and right doesn’t sound like an effective strategy.

Just as criminals monetize their new tools and come up with new ones, law enforcement agencies have to do the same.

More About The Betabot Trojan

Trojans of today are extremely clever

The Betabot Trojan is generally used by hackers and cyber criminals to first steal password and then transfer them.

Transfer them to where you ask?

Mostly from the victim’s computer machine to their own servers where they can safely store the passwords.

Recent reports in the media have revealed that an increasing number of cyber attacks have used this Betabot trojan.

Experts call this two-stage behavior of the Betabot trojan as second-stage payload.

What Have The Hackers And Cybercriminals Have Done Differently This Time?

Hackers and cybercriminals behind the latest wave of cyberattacks have changed their approach to hacking.

By that, we mean that, somehow, they have altered the original Betabot trojan and made it more destructive.

Moreover, hackers also topped the more destruction potential with avenues for making money.

Yes. Now hackers and cyber criminals can use Betabot trojans to not only launch cyber attacks but make money as well.

How do they actually do it?

In layman terms, hackers have added an extra step in the process of infecting a user’s machine.

Hackers are then able to make money because of that extra step.

In other words, the malware is able to penetrate further into the victim’s machine and hence opens up more possibilities.

According to a report published by Invincea, the new modified behavior of Beta trojan came with another change.

The genesis of this altered behavior lies in the way the Betabot trojan uses its new distribution method.

Betabot Trojan In The Early Days

Needless to say but Betabot trojan has evolved quite a bit since it initially came onto the scene a while back.

Before this latest wave of cyber attacks, Betabot trojan attacked its victims by making use of exploit kits.

Now the situation has changed.

The latest update to the Betabot trojan enables it to leverage newer technologies such as Neutrino exploit kits.

Hackers and other cybercriminals started the campaign of mass infection back in July.

It was around this time that they also started to make use of this newer distribution method for the Betabot trojan.

These modern hackers primary used spam campaigns in order to deliver the Betabot trojan to their intended targets.

So basically, spam emails acted as the primary agents of destruction.


Hackers simply inserted file attachments with these spam emails.

More specially, hackers sent a modified Word file along with the spam email.

This modified Word file contained macro scripts which infected the target’s machine with malicious code.

The Betabot Trojan Attacks Also Needed Help From Its Victims

Are you vulnerable?

Believe it or not but most of the trouble Betabot is known for causing can be avoided using simple rules.

We won’t discuss those rules here because most of them are commonly known facts.

Such as,

  • Never download attachments from unknown sources
  • Don’t open emails from contacts you don’t know
  • Don’t go to shady websites
  • Stop downloading software packages from torrent sites
  • Streaming sites are generally loaded with these type of malware
  • Use full up to date antivirus
  • Regularly scan your machine with a good antispyware software
  • Don’t rely on windows defender alone. Disable it and install something better. Like Avast.

What we really mean to say is that the Betabot trojan cannot infect a machine on its own.

A user has to cooperate with the Betabot trojan in one form or another.

In this scenario, the user has to have the macro support in the latest Microsoft Office enabled.

Without that activation, the Betabot trojan can’t do its thing.

With that activation in place though, hackers can infect the machine with their own scripts which would get downloaded to the machine automatically.

After that, these scripts installed the Betabot trojan on the target computer machine.

How Does The Betabot Trojan Work When It Is Finally Installed on A Victim’s Computer Machine

Even with the modified behavior, the Betabot trojan worked similarly to how it always works.

Basically it first stole passwords and then transferred them.

This “dumping” of password took place through the use of multiple applications.

What type of applications?

Everyday applications such as browsers along with email clients.

The Betabot trojan then continued causing havoc and then sending these stolen passwords to a remote command and control server.

What Did Invincea Along With Other Security Researchers Find About Betabot Trojan?

Hackers are coming to get you if you’re not prepared.

To be honest, the business of cyber security is really tough on agencies such as INvincea and the rest.

These security firms along with other security researchers have to work round the clock to stay in the race against hackers.

As usually, these security firms and researchers were able to identify key components of Betabot trojan which were different from before.

As mentioned before, earlier Betabot trojans were delivered through the use of exploit kits.

This new Betabot trojan version was slightly different from the older variants.

It was different in the sense that it first stole all the relevant passwords and then delivered its knockout punch.

The knockout punch we’re referring to here is Cerber ransomware.

What Were These Cyber Criminals Trying To Do With The New Trojan?

Simply put, with the help of the new trojan, hackers encrypted the data on the victim’s PC.

But they only did it when they had already stolen everything they wanted from the victim’s PC.

After the usefulness of the victim’s PC expired, the hackers encrypted it with the help of cerber ransomware.

Pat Belcher who works for Invincia explained the new phenomena in a recent interview.

He said that this was the first time that hackers had used a weaponized document.

The weaponized document was augmented with a password stealing form of malware.

That malware, in turn, called the ransomware as a form of a second stage cyber attack, Pat said.

He further continued that this cyber attack was clearly an evolution on part of hackers and cyber criminals.

In other words, before hackers did not make special efforts to maximize profits from an endpoint compromise.

He also explained that because of the new technique, hackers earned a much larger sum of money.

The primary cause of the increase in total profits, for hackers, was the multiple use of new attack techniques.

Hackers Are Winning The Game Of Cat And Mouse Against Law Enforcement Agencies.


Could it get any worse?

Of course, theoretically speaking it could always get worse.

But from a realistic perspective, things could hardly go more wrong for people trying to stay safe from hackers.

Because of the Betabot trojan, hackers don’t just steal your personal data but also infect you with ransomware.

As a consequence, not only do the hackers force their targets to pay them money, but they also compromise their data.

Betabot trojan has been specifically used by hackers to steal information and passwords regarding banks.

No one quite knows when exactly hackers came up with this new variant of Betabot trojan.

But most experts think that it came into the wild in March 2013.

The True Power Of Betabot Trojan

As mentioned earlier in the article as well, Betabot trojan is not your average-joe malware.

It can disable a potential victims antivirus.

Worse, it can also make software that scans for malware redundant.

The Betabot trojan is at its most effective when it is used against users who use Windows as their primary operating system.

Therefore, Windows machines are the most vulnerable ones against Betabot trojan.

Perhaps this is a good time to mention that despite being more than three years old, Betabot is still undefeated.

By undefeated, we mean that it can still sneak through computer machines undetected.

Example Scenario

Someone sends a user a document through email which says it is just a regular CV file.

In reality, it is a modified Word file which is infected with the Betabot trojan.

The Word file, which comes as an attachment to an email, asks the user to enable macros in order to view the file.

If the user enables macros, the malware is able to infect the computer.

Readers can probably guess what happens next.

The Betabot trojan gets to work, steals all important login information from the user’s web browser and vanishes.

Or does it?

That’s where Betabot Trojan is different from all other forms of trojans.

First, it kills the user’s computer machine and then it puts the work on it.

In other words, after it has stolen the user’s login data, it determines if the machine is of any use to it.

If it isn’t, it doesn’t stop.

Older trojans stopped at the precise point when they stole the user’s personal data.

Betabot goes one step further by extending its attack.

As indicated earlier in the article, it extends its attack by downloading more trojans on the victim’s machine.

And after some ransomware is installed on the machine, it asks the user for money in exchange for the compromised data.

So How Much Do You Have To Pay If You Get Infected With Betabot Trojan?

People who have fallen to the elaborate cyber attacks launched by hackers have had to part ways with quite a lot of money.

Generally speaking, hackers ask the victim to pay the required ransom in Bitcoin.

Bitcoin, as we all know, is an untraceable currency. Since there is no central bank controlling the transaction, no one knows where the money came from and where did it go.

Mostly, though, victims have to pay around $570.

Once the victims had paid the required sum of money, in Bitcoins, they are provided with a key.

This key enables the victims to access their stolen data.

Right now, if a hacker managed to steal passwords along with other login information, the dark web pays him about $185.

That is if the hacker used the Betabot trojan.

And hence if one does a little bit of maths, it would make more sense as to why hackers are moving towards using Betabot more and more.

The average ransom gets any hacker three times more money than the stolen data.

Consequently, ransomware becomes a regular part of a hackers revenue stream.

More like, easy revenue stream since all ransomware money, is easy money.

The Ransomware Business

The ransomware business is ranked as the number one growing business in the world of cybercrime.

The main reason is that ransomware is relatively very easy to carry out.

And, on the flip side, very difficult to guard against.

But that’s not all.

Witnessing the success of ransomware, more and more developers are also moving into the industry.

Ransomware is now being offered as a service.

Believe it or not, but there are many ransomware-as-a-service schemes out there in the online world.

But why are so many hackers moving into this niche?

We already told you that it is quite easy to carry out ransomware attacks.

But another less known reason is that, ransomware enables the totally illiterate cyber criminal to become an extortion kingpin.

Even the most technically inept hackers can coerce people into paying them large sums of money after infecting their machines with malware that encrypts their data.

Moreover, hackers aren’t the only ones benefiting from the new technology.

The developers who build these ransomware services also get a sizable cut of the ransomware payments.

And as a result, make a lot of money as well.

Who Is Most At Risk?

Organizations that are still won’t budge and continue to use older operating systems are the most vulnerable.

These organizations include hospitals as well as law enforcement agencies.

Hospitals particularly still rely on ancient operating systems and out of date software applications to run their operations.

So it is no surprise that hospitals have become the top focused ransomware targets in recent years.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.