Betruger: A Custom Backdoor Powering RansomHub’s Ransomware Attacks

By /

Listen to this Post

A New Threat in the Ransomware Landscape

Symantec’s Threat Hunter team has uncovered a dangerous custom backdoor called Betruger, linked to a RansomHub affiliate. Unlike traditional ransomware tools, Betruger is designed as an all-in-one solution, minimizing the need for multiple hacking tools. This strategy makes attacks stealthier and harder to detect.

Betruger comes equipped with a range of malicious capabilities, including screenshot capture, credential theft, keystroke logging, network scanning, and privilege escalation. These functions are commonly spread across different tools in standard ransomware attacks, but Betruger combines them into a single executable file, reducing the attack footprint.

Key Findings from Symantec’s Report

  • Betruger’s Design: It appears as “mailer.exe” or “turbomailer.exe”, disguising itself as a legitimate mailing tool. However, it lacks any actual mailing functionality.
  • Affiliation with RansomHub: RansomHub is a Ransomware-as-a-Service (RaaS) operation, meaning it provides ransomware tools to affiliates in exchange for a share of the ransom payments.

– Tactics and Exploits:

  • Uses Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security mechanisms.
  • Exploits known vulnerabilities such as CVE-2022-24521 and CVE-2023-27532 for privilege escalation and credential theft.
  • Works alongside tools like Impacket, Stowaway Proxy, Rclone, Mimikatz, SystemBC, and remote access tools (ScreenConnect, Atera, and Splashtop) for data exfiltration and remote control.

RansomHub’s Rise in Cybercrime

RansomHub has quickly gained traction since its emergence in February 2024. By the third quarter of 2024, it became the most active ransomware operation, surpassing even established cybercrime groups.

The

1. Higher profit shares for affiliates.

  1. A unique payment structure where affiliates receive ransom payments directly from victims before paying the operators their cut.

This strategy has lured many cybercriminals away from competing ransomware-as-a-service operations, accelerating RansomHub’s expansion.

What Undercode Says:

The discovery of Betruger highlights a concerning evolution in ransomware tactics. Rather than relying on widely available hacking tools like Mimikatz and Cobalt Strike, groups like RansomHub are now investing in custom backdoors that streamline attacks. This trend presents several critical implications for cybersecurity:

1. Increased Evasion Capabilities

Betruger reduces the need for multiple tools, which makes it harder for security software to detect attacks. Traditional security systems flag known malware, but a custom backdoor like Betruger flies under the radar until its behavior is analyzed.

2. Lower Barriers for Cybercriminals

By providing an all-in-one attack tool, RansomHub makes ransomware campaigns easier to execute. Cybercriminals no longer need extensive technical knowledge to launch attacks—they can simply deploy Betruger and let it handle key aspects of infiltration and data theft.

3. The Role of RaaS in Cybercrime Expansion

The Ransomware-as-a-Service model has transformed cybercrime into an organized, scalable business. RansomHub’s aggressive affiliate recruitment means more criminals have access to powerful ransomware tools, leading to more attacks on businesses, hospitals, and government entities.

4. The BYOVD Technique is Here to Stay

RansomHub’s use of Bring Your Own Vulnerable Driver (BYOVD) exploits shows that attackers are shifting towards more sophisticated defense evasion techniques. Since security solutions typically rely on drivers, exploiting outdated or vulnerable ones allows attackers to bypass endpoint detection with ease.

5. Defensive Strategies for Organizations

Organizations must adapt their cybersecurity defenses to counter this new threat landscape. Some essential strategies include:

  • Implementing Zero Trust Architecture: Ensuring every user and device is continuously verified.
  • Monitoring Unusual Executables: Identifying suspicious files like “mailer.exe” that lack expected functionality.
  • Patching Known Vulnerabilities: Regularly updating systems to mitigate exploits like CVE-2022-24521.
  • Enhanced Threat Intelligence: Staying updated on emerging threats like Betruger and adjusting defense strategies accordingly.

The rise of RansomHub and its custom backdoor Betruger signals a dangerous shift in ransomware operations. Organizations must remain proactive, vigilant, and continuously evolve their security measures to stay ahead of these sophisticated cybercriminals.

Fact Checker Results

✔ Confirmed Affiliation with RansomHub – Multiple sources verify that Betruger is linked to RansomHub operations.
✔ Custom Tool, Not Public Malware – Unlike Mimikatz or Cobalt Strike, Betruger is specifically built for RansomHub affiliates.
✔ BYOVD and Known Vulnerabilities Used – Reports confirm RansomHub exploits vulnerabilities like CVE-2022-24521 for attacks.

References:

Reported By: https://securityaffairs.com/175701/cyber-crime/ransomhub-affiliate-uses-custom-backdoor-betruger.html
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: