RansomHub ransomware uses new Betruger ‘multi-function’ backdoor
A newly identified custom backdoor deployed in several recent ransomware attacks has been linked to at least one RansomHub ransomware-as-a-service (RaaS) operation affiliate.
Symantec researchers who named this malware Betruger describe it as a “rare example of a multi-function backdoor” that was likely engineered for use in ransomware attacks.
The malware’s capabilities include a wide range of capabilities that overlap with features commonly found in malicious tools dropped before deploying ransomware payloads, including keylogging, network scanning, privilege escalation, credential dumping, screenshotting, and uploading files to a command and control (C2) server.
“The functionality of Betruger indicates that it may have been developed in order to minimize the number of new tools dropped on a targeted network while a ransomware attack is being prepared,” Symantec’s Threat Hunter Team said.
“The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks. Most attackers rely on legitimate tools, living off the land, and publicly available malware such as Mimikatz and Cobalt Strike,” Symantec’s Threat Hunter Team said.
Attackers behind the Betruger backdoor are dropping it using the ‘mailer.exe’ and ‘turbomailer.exe’ filenames to camouflage it as a legitimate mailing-related app.
Even though other ransomware gangs have also developed custom malicious tools, they’ve mainly been designed to help exfiltrate sensitive data from victims’ compromised systems. Such tools include BlackMatter’s Exmatter stealer and BlackByte’s Exbyte data theft tool for uploading stolen files to the Mega.co.nz cloud storage service.
The RansomHub ransomware gang
The RansomHub ransomware-as-a-service (RaaS) operation (previously known as Cyclops and Knight) emerged over a year ago, in February 2024, and has been linked to data-theft-based extortion rather than encrypting data on victims’ breached systems.
Since it surfaced, the ransomware gang has claimed multiple high-profile victims, including oil services giant Halliburton, the Christie’s auction house, US telecom provider Frontier Communications, the Rite Aid drugstore chain, Kawasaki’s EU division, the Planned Parenthood sexual health nonprofit, and the Bologna Football Club.
RansomHub has also leaked Change Healthcare’s stolen data after the BlackCat/ALPHV ransomware operation’s $22 million exit scam, following the most significant healthcare breach in recent years that impacted over 190 million individuals.
More recently, it claimed the breach of BayMark Health Services, North America’s largest US addiction treatment provider. BayMark Health Services provides medication-assisted treatment (MAT) services to over 75,000 patients daily in over 400 service sites across 35 US states and three Canadian provinces.
The FBI says RansomHub affiliates breached over 200 victims from multiple critical US infrastructure sectors, including government, critical infrastructure, and healthcare, until August 2024.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
