Betabot Malware Is Now Back & Distributed Via Dubious Documents

Betabot malware : An Old Trojan Comes Back With Specific Features

These days, the attack of Betabot malware is on the rise that masks itself as ‘User Account Control’ message box. When you click on this box, it will automatically infect your machine. Actually it is a commercial malware made by cyber hackers to be sold to another cyber criminals in order to steal your personal data.

Betabot malware is not a new Trojan infection, it is known as a botnet and banking Trojan since 2013. This malware has not been active during past year but team of security analysts have reported that it comes back to compromise wide3 range of Windows machine. Recently, group of cyber attackers has launched multistage attacks and exploit 17-year old vulnerability in the component of Microsoft Equation Editor.

Risk Factors of Betabot Malware

New attacks of Betabot malware spread with dubious MS Office documents including PDFs, Excel, MS Word and many more that are specifically designed to exploit the CVE-2017-11882 vulnerability. The flaw of this malware was only discovered on last year. Although, it existed in the component of Microsoft Equation Editor (EQNEDT32.EXE) since 2000. This issues is mainly patched by the Microsoft at end of 2017.

Betabot malware is a well known malware for couple of years that uses various distribution channels to compromise Windows machine. It was not only updated various times but also sold on black market. According to the researchers report, anyone can easily obtain it for $320 to $500. However, it might be quite pricey for some hackers. In 2017, the cracked versions of Betabot malware builder became available on dark web for $120. Therefore, there are numerous variants of Betabot malware is being spread through malicious spam email attachments, fake updates or downloads.

Attacks Dropped By Betabot Malware

Since Betabot malware uses CVE-2017-11882 vulnerability, the cyber attackers can inject the OLE object into specific RTF files that allows users to execute several needed commands on the infected machine. This is why, System users cannot easily suspect about the dangers and installation of components including :

  • inteldriverupd1.sct;
  • task.bat,
  • 2nd.bat;
  • exe.exe,
  • decoy.doc etc.

These files have a very specific job to launch attack of Betabot malware inside the PC successfully. First of all, inteldriverupd1.sct file create the new object by taking help of the Windows Script component, then the newly created items executes task.bat script that mainly designed to check block.txt in temp directory. If there is no block.txt file, task.bat creates it. After that it successfully launches 2bd.bat script.

First of all Betabot malware initiate the main exe file and kills almost all Windword.exe procedure. Once it killed the word process, it is high time to delete the traces of the dubious as well as malicious activity. This is why, 2nd.bat script deletes the Resiliency directory from registry. During the attacking procedure, Betabot malware connects to hxxp://goog[.]com/newbuild/t.php?stats=send&thread=0 remote servers and displays Decoy.doc file.

Leave a Comment

Your email address will not be published. Required fields are marked *