RansomHub Ransomware Uses a New Backdoor Betruger! How to Combat It?

In the ever-evolving landscape of cybersecurity, a new threat has emerged that demands our attention. The RansomHub ransomware operation has recently been linked to a sophisticated new backdoor, dubbed Betruger, which has been deployed in several ransomware attacks. This article delves into the details of this new threat and highlights how NetSecurity’s ThreatResponder product can serve as a robust defense against such advanced attacks.

The Emergence of Betruger

Security researchers have identified Betruger as a multi-function backdoor used by affiliates of the RansomHub ransomware operation. Unlike traditional ransomware tools that rely on multiple separate components, Betruger consolidates various attack capabilities into a single package. This backdoor can perform a range of malicious activities, including:

• Keylogging: Capturing keystrokes to steal sensitive information.
• Network Scanning: Identifying vulnerable devices and services within a network.
• Privilege Escalation: Gaining higher-level access to systems.
• Credential Dumping: Extracting login credentials from compromised systems.
• Screenshot Capture: Taking screenshots of the victim’s desktop.
• File Uploads: Transferring stolen data to a command-and-control (C2) server.

By bundling these functionalities, Betruger allows attackers to minimize the number of tools they deploy, making their activities harder to detect. The malware also masquerades as legitimate applications, using filenames like mailer.exe and turbomailer.exe to avoid suspicion.

The RansomHub Operation

RansomHub, a ransomware-as-a-service (RaaS) operation, has been highly active over the past year. The group has attracted numerous affiliates by offering favorable terms, such as a higher percentage of ransom payments and a payment model where affiliates are paid by the victim before passing on the operator’s cut. This has enabled RansomHub to carry out numerous high-profile attacks across various industries, including healthcare, telecommunications, and oil services.

The use of Betruger is just one example of the advanced tools in RansomHub’s arsenal. Other tools include Impacket for remote service execution, Mimikatz for credential dumping, and SystemBC for C2 communication. The group has also been known to exploit vulnerabilities like CVE-2022-24521 for privilege escalation and CVE-2023-27532 for accessing backup infrastructure.

The ThreatResponder Solution

In the face of such sophisticated threats, organizations need a comprehensive security solution that can detect, prevent, and respond to attacks in real-time. NetSecurity’s ThreatResponder platform is designed to do just that. Here’s how ThreatResponder can help protect against advanced threats like Betruger:

1. Endpoint Threat Detection and Prevention: ThreatResponder provides continuous monitoring of endpoint activities, including process, file system, registry, network, and memory activities. This allows for the early detection of malicious behaviors associated with backdoors like Betruger.
2. Incident Response and Forensics: In the event of a breach, ThreatResponder enables security analysts to conduct thorough investigations and respond swiftly. The platform supports remote forensics, allowing investigators to analyze compromised systems without disrupting business operations.
3. Threat Intelligence and Analytics: ThreatResponder leverages threat intelligence from various sources, including US-CERT and commercial providers, to stay ahead of emerging threats. The platform’s analytics capabilities provide deep insights into user activities and network bandwidth utilization, helping to identify and mitigate risks.
4. Prevention of Exploit and Fileless Attacks: ThreatResponder is equipped to prevent a wide range of attacks, including exploit, fileless, malware, and ransomware attacks. The platform can terminate malicious code, disconnect compromised hosts, and enforce endpoint access controls
5. Comprehensive Threat Hunting: With ThreatResponder, security teams can proactively hunt for threats across the enterprise. The platform supports natural language queries, making it easier to search for hidden or unknown threats.

Try ThreatResponder Today!

The emergence of the Betruger backdoor and its use by RansomHub affiliates underscores the need for advanced cybersecurity solutions. NetSecurity’s ThreatResponder platform offers a comprehensive suite of tools to detect, prevent, and respond to sophisticated attacks, ensuring that organizations can stay one step ahead of cybercriminals. By investing in ThreatResponder, organizations can enhance their security posture and protect their critical assets from the ever-growing threat of ransomware and other cyber attacks. Stay vigilant, stay protected with NetSecurity.

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).