New Commercial Trojan In the Wild: Meet Beta Bot
It appears that a much anticipated event has finally transpired in the cybercrime
arena, with the release and active sale of a new commercially-available Trojan
family that has begun around January this year, circulating under the name Beta
Bot.
RSA
researchers have recently come across samples of this user-mode rootkit,
analyzing its behind-the-scenes infrastructure. Beta Bot actually started out
as an HTTP bot[1] and not a banking Trojan, but it has since evolved, donned a
trigger list, and was repurposed for financial fraud that includes targets such
as banks, ecommerce and even Bitcoin wallets.
According
to research performed by RSA it was inferred that Beta Bot (alias:
Troj/Neurevt-A) is not the creation of an amateur. The malware is a persistent
Ring-3 rootkit with layers of anti-security protection (such as not executing
within virtual machines, thus avoiding sandboxes), AV-disabling features, and
even a DNS redirecting scheme to isolate bots from security-themed online
resources, including RSA’s official website.
Examining
the Features of Beta Bot
Since
Beta Bot’s earlier vocation as an HTTP bot was performing repetitive automated
tasks, it approaches its new job in mostly the same way – taking commands from
its master and delivering stolen data from infected PCs.
Beta
Bot sports a data grabbing feature (by capturing HTTP POST requests), as
well as a rather uncommon social engineering component that takes over the
Windows user interface prompts, allowing it to interact with the end-user, escalate
its own processes’ privileges, and make the infected PC its new home for the
long run.
Read the rest of this blog here
Comments
Post a Comment