Full Report
Betruger backdoor being used by at least one affiliate of RansomHub.
Analysis Summary
# Tool/Technique: Backdoor.Betruger
## Overview
Backdoor.Betruger is a new, custom-developed, multi-function backdoor used by at least one affiliate of the RansomHub Ransomware-as-a-Service (RaaS) operation. It is notable for consolidating functionality typically found across several pre-ransomware tools into a single malware sample, likely to minimize the number of distinct tools deployed during the preparation phase of a ransomware attack.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Windows (Inferred from tools like Mimikatz and Windows exploits mentioned)
- Capabilities: Screenshotting, Keylogging, File uploading to C&C, Network scanning, Privilege escalation, Credential dumping.
- First Seen: Recent attacks associated with RansomHub (Active since February 2024).
## MITRE ATT&CK Mapping
The functionality described maps to several common pre-ransomware activities:
- TA0005 - Defense Evasion
- T1055 - Process Injection (Inferred, often used for privilege escalation/credential access)
- TA0006 - Credential Access
- T1003 - OS Credential Dumping
- TA0007 - Discovery
- T1046 - Network Service Scanning
- TA0008 - Lateral Movement
- T1021 - Remote Services (Likely leveraging RDP/VNC tools mentioned later)
- TA0011 - Command and Control
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Information Gathering:** Capturing screenshots and logging keystrokes.
- **Lateral Movement Preparation:** Performing network scanning to map the internal environment.
- **Persistence/Access:** Functionality for privilege escalation and dumping credentials.
- **Exfiltration:** Uploading collected files to a command and control (C&C) server.
### Advanced Features
- **Consolidated Utility:** Serving the role of multiple reconnaissance and access tools within a single binary.
- **Masquerading:** Used file names like `mailer.exe` and `turbomailer.exe` suggest an attempt to masquerade as legitimate or benign applications, although it lacks actual mailing functionality.
## Indicators of Compromise
- File Hashes:
- `ae7c31d4547dd293ba3fd3982b715c65d731ee07a9c1cc402234d8705c01dfca`
- `b058c128c801e2ee03874e183239ff369c599f3a2324905ff73f99d16d3b1a16`
- File Names: `mailer.exe`, `turbomailer.exe`
- Registry Keys: [Not specified]
- Network Indicators: Uploading functionality implies communication with C&C infrastructure, but specific addresses are not listed for Betruger in the provided text.
- Behavioral Indicators: Initial access leading to screenshotting, keylogging, and scanning activities.
## Associated Threat Actors
- RansomHub RaaS affiliates (operated by the group Symantec tracks as **Greenbottle**).
## Detection Methods
- Signature-based detection: Provided hashes can be used for file-based detection (e.g., Symantec Endpoint products).
- Behavioral detection: Monitoring for the combination of behaviors: screenshotting, keylogging, network scanning, and unusual file uploads from a process attempting to masquerade via file names like `mailer.exe`.
- YARA rules: [Not specified]
## Mitigation Strategies
- **Patching:** Address known vulnerabilities exploited in conjunction with the tool, specifically the Windows Privilege Escalation exploit ([CVE-2022-24521](https://nvd.nist.gov/vuln/detail/cve-2022-24521)) and the Veeam credential-leaking vulnerability ([CVE-2023-27532](https://nvd.nist.gov/vuln/detail/CVE-2023-27532)).
- **BYVOD Protection:** Implement controls to prevent the Bring Your Own Vulnerable Driver (BYVOD) technique (e.g., using EDRKillshifter mitigation techniques).
- **Least Privilege:** Strict enforcement of least privilege principles to limit the impact of privilege escalation attempts.
## Related Tools/Techniques
- **Associated Ransomware:** RansomHub
- **Other tools used by affiliates:** EDRKillshifter (BYVOD), Impacket, Stowaway Proxy Tool, Rclone, ScreenConnect, Mimikatz, SystemBC, NetScan, Atera, Splashtop, TightVNC.
- **Related custom malware mentioned:** Infostealer.Exmatter (Coreid group), Infostealer.Exbyte (Hecamede group).
***
# Tool/Technique: EDRKillshifter (BYVOD)
## Overview
EDRKillshifter appears to be a specific implementation or usage of the Bring Your Own Vulnerable Driver (BYVOD) technique leveraged by RansomHub affiliates to disable security solutions, particularly Endpoint Detection and Response (EDR) tools.
## Technical Details
- Type: Tool/Technique implementation (BYVOD)
- Platform: Windows (Inferred)
- Capabilities: Disabling security solutions (EDR).
- First Seen: Recently by RansomHub affiliates.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1217 - Driver Hijacking (Related to BYOVD)
## Functionality
### Core Capabilities
- Disabling EDR functionality on the target system by exploiting a vulnerable, trusted driver.
### Advanced Features
- Leverages the BYVOD technique, often used to gain kernel-level access to terminate or disable security processes and services.
## Indicators of Compromise
- File Hashes: [Not explicitly listed for EDRKillshifter itself]
- File Names: [Not explicitly listed]
- Registry Keys: [Not specified]
- Network Indicators: [Not specified]
- Behavioral Indicators: Successful termination or disabling of EDR processes/services following execution.
## Associated Threat Actors
- RansomHub affiliates.
## Detection Methods
- Detection focuses should be on the behavioral aspect of BYVOD or known malicious driver loading patterns.
- Behavioral detection: Monitoring for system calls or driver interactions known to interface with security products in a malicious manner, or attempts to load untrusted drivers.
## Mitigation Strategies
- **Driver Whitelisting:** Implement strict driver signing and whitelisting policies to only allow approved, trusted drivers to load into the kernel.
- **Patching/Updating:** Ensure all legitimate drivers are updated to remove known vulnerabilities that attackers could leverage for BYVOD.
## Related Tools/Techniques
- Bring Your Own Vulnerable Driver (BYVOD) technique.
***
# Tool/Technique: Impacket
## Overview
Impacket is an open-source collection of Python modules used for programmatically constructing and manipulating network protocols. It is frequently abused by threat actors for network reconnaissance and privilege operation on Windows domains.
## Technical Details
- Type: Tool (Framework/Library)
- Platform: Cross-platform (Python-based, targets network protocols)
- Capabilities: Remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, relay attacks.
- First Seen: Long-standing, publicly available tool.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Secretsdump module often used)
- TA0007 - Discovery
- T1087 - Account Discovery (Via enumeration modules)
- TA0008 - Lateral Movement
- T1021 - Remote Services (Used for remote execution)
- TA0011 - Command and Control
- T1571 - Non-Standard Port (If used for C2 tunneling)
## Functionality
### Core Capabilities
- Protocol manipulation for Windows/SMB/Kerberos environments.
- Remote execution capabilities across a network.
### Advanced Features
- Comprehensive suite for post-exploitation activities, especially within Active Directory environments.
## Indicators of Compromise
- File Hashes: [Not typically associated with the core use of the library itself, but specific executables utilizing Impacket might have hashes.]
- File Names: [N/A - primarily library functions]
- Registry Keys: [Not applicable]
- Network Indicators: Unusual traffic patterns related to SMB/Kerberos manipulation or remote service execution attempts.
- Behavioral Indicators: Programmatic attempts to dump credentials or execute services remotely using privileged accounts.
## Associated Threat Actors
- Used broadly across the threat landscape, including RansomHub affiliates.
## Detection Methods
- Behavioral detection: Monitoring for Python scripts or executables invoking Impacket functionalities like `secretsdump.py` or remote execution modules.
- Network detection: Identifying abnormal Kerberos traffic or high volumes of SMB administrative shares being accessed programmatically.
## Mitigation Strategies
- Network Segmentation and Egress Filtering.
- Enforce Multi-Factor Authentication (MFA) everywhere possible.
- Monitor for unusual service creation or remote command execution originating from non-administrative systems.
## Related Tools/Techniques
- Similar to other Windows domain enumeration/exploitation frameworks.
***
# Tool/Technique: Stowaway Proxy Tool
## Overview
Stowaway is a publicly available, multi-hop proxy tool designed to facilitate the forwarding of network traffic to nodes within an intranet. This is misused by threat actors to maintain covert paths and access internal systems.
## Technical Details
- Type: Tool (Proxy)
- Platform: Cross-platform (Inferred)
- Capabilities: Multi-hop proxying, internal network tunneling.
- First Seen: Publicly available via GitHub.
## MITRE ATT&CK Mapping
- TA0010 - Command and Control
- T1090 - Proxy
## Functionality
### Core Capabilities
- Establishing proxied connections across network hops.
### Advanced Features
- Allows attackers to pivot deeper into private networks while obfuscating the true source of the connection by chaining proxies.
## Indicators of Compromise
- File Hashes: `edc9222aece9098ad636af351dd896ffee3360e487fda658062a9722edf02185` (Associated file hash in article)
- File Names: Stowaway executable/script.
- Network Indicators: Traffic originating from internal hosts that consistently relays connections outward via a non-standard proxy chain.
- Behavioral Indicators: Unexpected process establishing SOCKS or HTTP proxy listeners/clients.
## Associated Threat Actors
- RansomHub affiliates.
## Detection Methods
- Signature-based detection: Use the provided hash for identification.
- Behavioral detection: Monitoring endpoints for the execution of this specific tool or for connections attempting to tunnel traffic through multi-hop proxy configurations.
## Mitigation Strategies
- Restrict the execution of unauthorized networking tools on end systems.
- Closely monitor and restrict outbound traffic patterns that resemble multi-hop proxy chaining.
## Related Tools/Techniques
- Cobalt Strike (often uses similar proxy or port forwarding methods).
***
# Tool/Technique: Rclone
## Overview
Rclone is an open-source command-line tool used for managing files on cloud storage services. Ransomware operators leverage its legitimate functionality to exfiltrate stolen data from victim networks to cloud destinations.
## Technical Details
- Type: Tool (Utility)
- Platform: Cross-platform
- Capabilities: Managing content in the cloud, often abused for data exfiltration.
- First Seen: Long-standing, legitimate tool.
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (or direct cloud upload)
## Functionality
### Core Capabilities
- Transferring large volumes of data to various cloud storage providers.
### Advanced Features
- Automated and scriptable data movement, making large-scale data theft efficient.
## Indicators of Compromise
- File Hashes: [Not explicitly listed in the main IOC table for Rclone]
- File Names: `rclone.exe` or related script names.
- Network Indicators: High-volume outbound connections to common cloud storage service URLs/IPs initiated by unusual processes.
- Behavioral Indicators: Execution of Rclone commands referencing sensitive directories followed by large outbound data transfers.
## Associated Threat Actors
- Widely used by ransomware groups, including RansomHub affiliates.
## Detection Methods
- Behavioral detection: Monitoring for Rclone execution, especially when targeting sensitive data paths, immediately prior to large network uploads.
- Network detection: Monitoring egress traffic volumes to cloud storage providers.
## Mitigation Strategies
- Application Control/Whitelisting to restrict the execution of Rclone on critical servers.
- Limit network access to external cloud storage endpoints from systems that do not require that access.
## Related Tools/Techniques
- Cloud-based exfiltration tools.
***
# Tool/Technique: ScreenConnect (ConnectWise)
## Overview
ScreenConnect (now ConnectWise Control) is a legitimate remote desktop application used for remote access and support. Attackers utilize compromised credentials or software vulnerabilities to deploy and use this tool for persistent remote access.
## Technical Details
- Type: Tool (Remote Access Software)
- Platform: Windows (Inferred)
- Capabilities: Remote desktop access and control.
- First Seen: Long-standing commercial tool.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1105 - Ingress Tool Transfer
- T1090 - Proxy (If used for pivoting)
## Functionality
### Core Capabilities
- Providing high-fidelity remote access sessions.
### Advanced Features
- Once access is established, it functions as a stable C2 channel and persistence mechanism.
## Indicators of Compromise
- File Hashes: `80a2ae9d5189c55aeb838b651a712e70045d8e45bd95678c61109e6183fe3607` (Associated file hash in article)
- File Names: ScreenConnect server/client executables.
- Network Indicators: Connections to legitimate but potentially compromised ScreenConnect servers, or connections to internal hosts expecting remote desktop traffic on standard ports (typically 8040/8041).
- Behavioral Indicators: Unusual user sessions logging in via ScreenConnect, or rapid sequences of administrative actions following a remote session initiation.
## Associated Threat Actors
- RansomHub affiliates and many other threat groups utilizing legitimate remote access tools (RATs).
## Detection Methods
- Signature-based detection: Use the provided hash.
- Behavioral detection: Audit logs for RDP/remote access tools, especially those initiated from new or suspicious accounts.
## Mitigation Strategies
- Strict credential hygiene for ScreenConnect administration accounts.
- Maintain up-to-date versions to patch known exploitation vectors.
- Monitor outbound traffic associated with the software endpoints.
## Related Tools/Techniques
- Atera, Splashtop, TightVNC (other remote access tools mentioned).
***
# Tool/Technique: Mimikatz
## Overview
Mimikatz is a well-known, publicly available tool designed primarily to extract plaintext passwords, hashdumps, and PINs from Windows memory (LSASS).
## Technical Details
- Type: Tool (Credential Access)
- Platform: Windows
- Capabilities: Credential dumping (e.g., Kerberos tickets, NTLM hashes).
- First Seen: 2014.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1003.001 - OS Credential Dumping: LSASS Memory
## Functionality
### Core Capabilities
- Dumping credentials from memory.
### Advanced Features
- Kerberos credential extraction and manipulation.
## Indicators of Compromise
- File Hashes:
- `7c0f223f585b9c9b64d4ac8c04724edbffa43b95fa997912960c9c5332ede18b`
- `d04bd76a2710fc35b3a445b5db241f13f199763e38b8fbe5316063c36a27a931`
- `41abfef1ac0b9700700a9b42cb39cdd79b39a1a5b0eb3d3929e82c650b84bac6`
- File Names: Mimikatz executables often renamed or reflective loaded.
- Behavioral Indicators: Any process accessing the LSASS memory space without a legitimate security or system process justification.
## Associated Threat Actors
- Universally used across the threat landscape, including RansomHub affiliates.
## Detection Methods
- Signature-based detection: Use provided IOC hashes.
- Behavioral detection: Monitoring for direct read access to the LSASS process memory.
## Mitigation Strategies
- Implement credential guarding technologies (LSA Protection).
- Restrict administrative rights.
- Deploy Credential Guard or similar memory protection features.
## Related Tools/Techniques
- Secretsdump (Hash listed: `c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37`).
***
# Tool/Technique: SystemBC
## Overview
SystemBC is commodity malware capable of establishing a backdoor on an infected machine and communicating with the C2 server using the SOCKS5 proxy protocol.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Windows (Inferred)
- Capabilities: Establishing a SOCKS5 proxy backdoor.
- First Seen: Commodity malware used historically.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090.003 - Proxy: Multi-hop Proxy
## Functionality
### Core Capabilities
- Creating persistent backdoor access.
- Functioning as a SOCKS5 proxy for routing subsequent malicious traffic.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Network Indicators: Traffic destined for C2 servers using the SOCKS5 protocol when initiated by unusual processes.
- Behavioral Indicators: Outbound connections on non-standard ports being initiated by system processes that should not be acting as proxies.
## Associated Threat Actors
- Used by various cybercrime entities, including RansomHub affiliates.
## Detection Methods
- Network detection: Identifying C2 communications utilizing the SOCKS5 protocol from endpoints.
## Mitigation Strategies
- Restrict outbound proxy connections unless explicitly required and whitelisted.
## Related Tools/Techniques
- Other commodity backdoors utilizing proxy protocols.
***
# Tool/Technique: NetScan (SoftPerfect Network Scanner)
## Overview
NetScan (SoftPerfect Network Scanner) is a legitimate, publicly available tool used for network discovery, service identification, and host mapping. Attackers use it to map the internal network topology.
## Technical Details
- Type: Tool (Scanner/Discovery)
- Platform: Windows (Inferred)
- Capabilities: Host identification, service discovery.
- First Seen: Legitimate public tool.
## MITRE ATT&CK Mapping
- TA0007 - Discovery
- T1046 - Network Service Scanning
## Functionality
### Core Capabilities
- Mapping accessible hosts and open services on the network.
## Indicators of Compromise
- File Hashes:
- `d37a023b809ef9ec024be3976344813a4b860aa9104e298d5d5d4805381ff3a5`
- `e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c`
- File Names: `netscan.exe`
- Behavioral Indicators: High volume of network scanning activity originating from an endpoint that typically does not perform network administration tasks.
## Associated Threat Actors
- RansomHub affiliates and others relying on "living off the land."
## Detection Methods
- Signature-based detection: Use provided IOC hashes.
- Behavioral analysis: Detecting excessive internal network scanning.
## Mitigation Strategies
- Restrict execution of unauthorized scanning and enumeration tools.
- Network access controls limiting the scope of what compromised internal hosts can reach.
## Related Tools/Techniques
- Standard network mapping utilities abused by threat actors.
***
# Tool/Technique: Atera
## Overview
Atera is a legitimate Remote Monitoring and Management (RMM) platform. Attackers leverage compromised RMM accounts or software installations to gain persistent, remote access across the network.
## Technical Details
- Type: Tool (Remote Access/RMM)
- Platform: Cross-platform
- Capabilities: Legitimate remote monitoring and administrative access.
- First Seen: Commercial software.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1219 - Remote Access Software
## Functionality
### Core Capabilities
- Establishing remote sessions to operational computers.
## Indicators of Compromise
- File Hashes:
- `a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2`
- `9fa315259cc627b17a0d99864cd1bf54667bd26ccef5ce50ba412fa8911b10e5`
- Behavioral Indicators: Remote sessions initiated outside of defined service windows or originating from external/suspicious network locations.
## Associated Threat Actors
- RansomHub affiliates and other groups using legitimate software for malicious access.
## Detection Methods
- Signature-based detection: Use provided IOC hashes.
- Auditing RMM platform logs for suspicious user activity or session duration.
## Mitigation Strategies
- Implement strong MFA and conditional access policies for RMM access.
- Restrict RMM installation scope.
## Related Tools/Techniques
- ScreenConnect, Splashtop, TightVNC.
***
# Tool/Technique: Splashtop
## Overview
Splashtop is a family of legitimate remote desktop and remote support software. Like other RMMs, threat actors misuse this for maintaining unauthorized remote access.
## Technical Details
- Type: Tool (Remote Access Software)
- Platform: Cross-platform
- Capabilities: Remote access and support.
- First Seen: Commercial software.
## MITRE ATT&CK Mapping
- TA0012 - Lateral Movement
- T1021.001 - Remote Desktop Protocol (Used as an infrastructure proxy)
## Functionality
### Core Capabilities
- Enabling remote access to desktops and mobile devices.
## Indicators of Compromise
- File Hashes: `f402d9eb5158adac54ab9f4f564051a39a8d817dd66bd46bbb373e80f08a4a08` (Associated file hash)
- Behavioral Indicators: Unusual connection patterns to Splashtop services or internal host-to-host connections via Splashtop infrastructure.
## Associated Threat Actors
- RansomHub affiliates.
## Detection Methods
- Signature-based detection: Use the provided hash.
- Monitoring for unauthorized installations or atypical usage patterns of legitimate remote access tools.
## Mitigation Strategies
- Centralized management and review of all legitimate remote desktop software.
## Related Tools/Techniques
- Atera, ScreenConnect, TightVNC.
***
# Tool/Technique: TightVNC
## Overview
TightVNC is open-source remote desktop software that allows users to display a remote desktop on their own screen. It is frequently deployed or installed covertly by attackers for remote control.
## Technical Details
- Type: Tool (Remote Access Software)
- Platform: Cross-platform
- Capabilities: Open-source remote desktop control.
- First Seen: Long-standing open-source tool.
## MITRE ATT&CK Mapping
- TA0012 - Lateral Movement
- T1021.004 - Remote Services: VNC
## Functionality
### Core Capabilities
- Providing graphical remote control over a system.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: TightVNC server/client executables.
- Behavioral Indicators: Unexpected initiation of VNC server processes or connections to VNC ports (e.g., 5900+).
## Associated Threat Actors
- RansomHub affiliates.
## Detection Methods
- Behavioral detection focusing on VNC usage patterns.
## Mitigation Strategies
- Disable or uninstall unnecessary remote desktop software.
## Related Tools/Techniques
- Atera, ScreenConnect, Splashtop.
***
# Technique: Bring Your Own Vulnerable Driver (BYVOD)
## Overview
BYVOD is a technique where an adversary installs a legitimate, but vulnerable, kernel driver onto a target system. This allows the attacker's unprivileged code to escalate privileges or manipulate the operating system kernel, typically to terminate security software like EDRs.
## Technical Details
- Type: Technique
- Platform: Windows (Primarily)
- Capabilities: Privilege Escalation, Security Software Disablement.
- First Seen: Gaining prevalence in 2021/2022.
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation
- T1217 - Driver Hijacking (Highly related)
- TA0005 - Defense Evasion
- T1548.002 - Bypass User Account Control (If used for elevation)
## Functionality
- Kernel access to overwrite memory, stop services, or modify system state in an unauthorized manner.
## Associated Threat Actors
- RansomHub affiliates (using EDRKillshifter example).
## Detection Methods
- Behavioral detection: Monitoring for signed drivers performing unauthorized system or memory modifications.
- System integrity checks on critical drivers.
## Mitigation Strategies
- Driver allowlisting/whitelisting.
- Ensuring all third-party drivers are fully patched.
## Related Tools/Techniques
- Kernel exploit techniques.
***
# Vulnerability: Windows Privilege Escalation Exploit (CVE-2022-24521)
## Overview
This references a specific Windows vulnerability exploited by the attackers, allowing for privilege escalation on the target system.
## Technical Details
- Type: Vulnerability Exploit
- Platform: Windows
- First Seen: Patched March 2022.
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation
- T1068 - Exploitation for Privilege Escalation
## Associated Threat Actors
- RansomHub affiliates.
## Mitigation Strategies
- Apply the Microsoft security update addressing CVE-2022-24521.
***
# Vulnerability: Veeam Exploit (CVE-2023-27532)
## Overview
A vulnerability affecting Veeam software that leads to credential leakage, which attackers can use to compromise backup systems and potentially bypass recovery mechanisms.
## Technical Details
- Type: Vulnerability Exploit
- Platform: Windows (Veeam Server)
- First Seen: Patched by Veeam in 2023.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (If credentials are leaked for system accounts)
## Associated Threat Actors
- RansomHub affiliates.
## Mitigation Strategies
- Apply Veeam security updates for CVE-2023-27532.
- Isolate backup infrastructure and restrict access.