New Commercial Trojan In the Wild: Meet Beta Bot

It appears that a much anticipated event has finally transpired in the cybercrime arena, with the release and active sale of a new commercially-available Trojan family that has begun around January this year, circulating under the name Beta Bot.

RSA researchers have recently come across samples of this user-mode rootkit, analyzing its behind-the-scenes infrastructure. Beta Bot actually started out as an HTTP bot[1] and not a banking Trojan, but it has since evolved, donned a trigger list, and was repurposed for financial fraud that includes targets such as banks, ecommerce and even Bitcoin wallets.

According to research performed by RSA it was inferred that Beta Bot (alias: Troj/Neurevt-A) is not the creation of an amateur. The malware is a persistent Ring-3 rootkit with layers of anti-security protection (such as not executing within virtual machines, thus avoiding sandboxes), AV-disabling features, and even a DNS redirecting scheme to isolate bots from security-themed online resources, including RSA’s official website.

Examining the Features of Beta Bot

Since Beta Bot’s earlier vocation as an HTTP bot was performing repetitive automated tasks, it approaches its new job in mostly the same way – taking commands from its master and delivering stolen data from infected PCs.

Beta Bot sports a data grabbing feature (by capturing HTTP POST requests), as well as a rather uncommon social engineering component that takes over the Windows user interface prompts, allowing it to interact with the end-user, escalate its own processes’ privileges, and make the infected PC its new home for the long run.

Read the rest of this blog here