Betabot Trojan Steals Your Passwords And Install Ransomware To Monetize.
Betabot was delivered by Neutrino Exploit Kit. The IP used for both Betabot and Cerber is 93[.]174.91.49. A virustotal report on this IP provides additional details here. A screenshot below highlights the multiple filenames used between Betabot and Cerber. Invincea described in its blog,
|Server IP used to download Betabot and Cerber malware|
You can see in image Betabot weaponized documents have been found bb.exe (bb denoting betabot), bbcrypt.exe, and diablo.exe.
How this attack work?
Betabot spread through spam emails contained a file attachment, a Word file contain malicious macro scripts. In Microsoft office user activated macro support then scripts automatic download and install Betabot to infect your computer. And then scrapes all passwords stored in all local browsers.
According to report of Invincea, Cyber attacker maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques.
- Never open unknown file attachment in Email.
- Beware from Social Engineering attack.