Cybercriminals Use Cracked Builder to Spawn Betabot Variants
1.3.2017 securityweek CyberCrime
Betabot, an old piece of malware that ensnares affected computers into a botnet, is now being distributed by attackers who managed to crack its builder, Sophos security researchers reveal.
The malware previously functioned as a banking information stealing Trojan, then became a password stealing malware, and recently began capitalizing on infected bots to distribute ransomware. Because some miscreants didn’t want to pay the malware’s creators to get a builder, they started using cracked builders to copy the original design without paying for it.
Sophos security researchers performed an in-depth analysis of Betabot version 1.7, which is said to be the most recent version. The malware’s command and control (C&C) server, they say in a report (PDF), features a fairly user-friendly interface which can appeal to cybercriminals who either lack technical knowledge or don’t want to create a botnet framework for themselves.
The Betabot malware package isn’t very expensive, being advertised on the black market for around $120. However, a cracked version of the builder has been circulating, allowing cybercriminals to use the malware without contacting the author and paying for the malicious softwar kit.
“As Betabot’s intended use is nefarious in nature, the existence of cracked versions of the builder indicates cybercriminals are not only targeting members of the unsuspecting public but are also engaged in activities related to hacking other malware to leverage the work of other malware authors for free. Although this is not unprecedented, the increased availability due to the utilization of a software crack often results in an increase in the malware family’s use by new parties,” the security researchers say.
Sophos’ researchers say that the Betabot authors did apply anti-piracy measures to their malware toolkit to ensure they receive payment when their creation is used by other cybercriminals. In fact, a feature called “proactive defense” packed in the malware is meant to prevent other competing bots or similar tools such as remote access Trojans from installing and potentially hijacking the botnet.
One of the used measures was the complexity involved in the method of encoding the configuration data inside the bot payload. This data includes, among other things, the URL of the C&C server and encryption keys used to encrypt and decrypt the data sent to the server. This configuration data is encrypted and saved in the bot and the complexity of the packaging method makes it difficult for researchers to analyze the threat and for other cybercriminals to encode their own configuration data.
The crack, researchers say, consists of a console-based builder application that has the compiled Betabot template code stored as a bytes array within the data section of the builder application itself. Users can specify custom configuration information that the crack then encrypts and inserts into the included template code at the appropriate position.
Next, the crack repacks the entire PE file in an attempt to further obfuscate the generated bot to avoid detection by antivirus software. The crack allows users to instruct the bot to connect to a specified C&C, and a single configuration data structure offers support for up to 16 individual servers. However, typical Betabot samples only specify one or two servers, researchers say.
Additionally, the cracked builder generates some pseudo random keys that are to be used for the communication with the server. These keys are then encrypted into the bot’s configuration along with the information provided by the user, and a payload executable that can be distributed is generated. The communication keys are also displayed on the screen, so that the user can configure their server to match them.
“The HC128 algorithm is included in the source code in the form of inline x86 assembly code intended for use with the Microsoft Visual Studio Compiler,” the researchers say. Comments in the cracked builder’s code suggests that the author of the crack couldn’t identify the encryption algorithm, and simply extracted it.
Sophos’ report also delivers a thorough analysis of the malware’s C&C server and capabilities, including the anti-piracy measures that the Betabot authors packed their creation with. Those interested in the technical details should have a look at the full report, available in PDF format.
“Although the Betabot family has been around for a while, it is still prevalent and used to spread other malware campaigns and harvest site login credentials. The availability of a crack and the simplicity of the C&C web portal make it attractive to cybercriminals to use without putting forth a lot of effort,” the researchers conclude.