LTS Secure Warning: Betabot Trojan aids hackers to breach system via office documents

The recently spotted attacks start with a Word document attempting to exploit CVE-2017–11882, a vulnerability introduced in November 2000 in the Microsoft Equation Editor (EQNEDT32.EXE) component. Discovered only last year, the security bug was manually patched by Microsoft in late 2017. Betabot is a Trojan that infects computers and attempts to prevent users from accessing security websites, while also disabling their antivirus and malware scan software.

Technical Details

To infect the system, a bot creates a fake Microsoft Windows message box with the heading “User Account Control.” It asks users to allow the “Windows Command Processor” to make administrator-level changes and claims it is verified by Microsoft. If changes are approved, Betabot modifies a user’s computer to steal login credentials and financial data while also disabling security software access. As part of this attack, the actor embedded an OLE object into a specially crafted RTF file to execute commands on the victim system. The embedded objects (inteldriverupd1.sct, task.bat, decoy.doc, exe.exe, and 2nd.bat) pose as legitimate software to gain the intended victim’s trust.

The researcher also found a .Net file featuring encrypted strings. This layer is meant to decrypt another file and store it in the dictionary with other information related to malware configuration. For that, it retrieves said images from resources, change them into a memory stream, decrypts them, and adds them to the dictionary. During the execution, the threat also checks for the configuration from a dictionary and calls the appropriate function. These functions allow it to, check if it runs in a virtual environment and copy itself to the start menu.

At the last stage of the attack, a new variant of Betabot is deployed. The sample contains some anti-debugging and anti-virtualization tricks, then initiates communication with a domain, likely for tracking purposes. The researcher also noticed some redirections using said tracking values, likely meant to earn some additional money from an affiliate program.

The malware also communicates with a command and control (C&C) server at onedriveservice[.]com, which is clearly not a genuine Microsoft domain.

Impact

This Trojan targets windows OS and is designed to steal confidential information such as login credentials of victims financial websites, eCommerce sites, online platforms and social network sites.

In addition, it has the ability to disable anti-virus functionality and capable of killing competing malware communications and possess DDoS.

Recommended Actions

To prevent your system from the Betabot Trojan user should follow these security measures.

  • Never click on unknown links or open any software downloads without first performing a virus scan.
  • Users should deny any UAC request unless they are making modifications to their own system.
  • Before you click any message, read the prompts message in your system shows and do not click “Yes” or “OK” thoughtlessly.
  • An up-to-date comprehensive security solution with a malware scanner, firewall, web, and real-time protection is an absolute must. A spam filter that protects you from unwanted spam emails also makes sense.

Kaspersky has released a security advisory about Betabot Trojan on June 1, 2018.