Betruger backdoor malware is the latest tool used by the ransomware-as-a-service (RaaS) operation RansomHub.
Researchers at cybersecurity company Symantec have uncovered a multi-function backdoor that appears to have been developed specifically for carrying out ransomware attacks.
The Betruger backdoor has functionality used in pre-ransomware tools, such as screenshotting, keylogging, network scanning, credential dumping, and uploading files to a command and control server.
“File names used for versions of this malware included mailer.exe and turbomailer.exe. The backdoor contains no mailing functionality. It’s possible the attackers used the name in order to masquerade as a legitimate application,” Symantec claims.
The functionality of Betruger reportedly indicates that it may have been developed in order to minimize the number of new tools dropped on a targeted network while a ransomware attack is being prepared.
Symantec notes that it’s relatively uncommon to develop custom malware for ransomware attacks as most attackers leverage existing tools. However, custom malware is mostly used for data exfiltration.
Betruger backdoor has been spotted in several attacks by RansomHub in recent months.
The tool, which was responsible for the highest number of claimed attacks, is operated by a threat actor named Greenbottle.
Your email address will not be published. Required fields are markedmarked