In recent weeks, SophosLabs has published papers outlining threats from AKBuilder and Betabot. Now, it appears the bad guys are combining the two in new attack campaigns.
SophosLabs principal researcher Gábor Szappanos said the lab has received and analyzed a handful of AKBuilder-generated documents in the past week. The documents initially drop a file that contains two payloads: one, the popular LokiBot credential stealer; the other, something that appears to be a version of Betabot. “We thought that Betabot was pretty much dead, with no activity in the past months – up until last week,” Szappanos said.
The malware and tools in question
Before looking at the new developments, a review of the malware is in order.
- AKBuilder is an exploit kit that generates malicious Word documents, all in Rich Text. Once purchased, malicious actors use it to package malware samples into booby-trapped documents they can then spam out. SophosLabs has analyzed and defended customers against two versions – AK-1, which uses two exploits in the same document: CVE-2012-0158 and CVE-2014-1761, and AK-2, which uses a single exploit: CVE-2015-1641.
- LokiBot is commonly found along with malware called Upatre. The Upatre component is typically delivered in bulk, via spam, and then used to install the banking Trojan on infected computers.
- Betabot is a malware family used to hijack computers and force them to join botnets. It has been used to steal passwords and banking information, and has most recently been used in ransomware campaigns. Betabot has been around for a long time. Its code is easy to duplicate and attackers have turned to a cracked builder to produce it on the cheap.
The three converge
Szappanos shared his findings with Naked Security Wednesday morning. He said the malware is delivered in email messages like this:
And this:
The attachment of the messages are Rich Text Format documents generated by AKBuilder. These documents drop the additional malware components. Here’s some basic information about the documents:
| First seen | Dropper SHA1 | Filename |
| 20/02/2017 | 757dfe8e61f96d470da70235dc8c0e3dc9567339 | po866377.doc |
| 20/02/2017 | eaf2f7bbc5fddd19f8414eccfc81bc1af6500311 | UAE-INQUIRy.doc |
| 23/02/2017 | 6aecb37db36c89829cfcbcc458383bbbd218a598 | Quotation-Needed.doc |
| 22/02/2017 | 79fa30f9031b6f0a6ab7d2606d76538657921a51 | po866377.doc |
| 22/02/2017 | 905d8f63f39a32ec3cfe26c821267c22cf32b828 | Quotation required.doc |
| 22/02/2017 | c56b2ec03dcb1c58744592f73f0a6e103aa9cbed | Order_Al Amani Automotech LLC.220217.doc |
| 22/02/2017 | cfd7cb2b88b26a48d6c033d5626689fc313d0cf4 | United Energy Co.doc |
The exploited documents drop two files, which are two different Trojans:
%USERHOME%\AppData\Roaming\win32.exe :LokiBot credential stealer
%USERHOME%\AppData\Local\Temp\nbot.exe :Betabot/Neurevt Trojan
Dyzap is executed automatically on startup by %STARTUP%\win32.vbs
The C&C addresses were used by LokiBot to send credentials to:
monetizechart.me
dfoxinternashipoop.top
conticontrations.com
mdelatropsopc.info
scopeclothingsltd.pro
The malware submits stolen info to a php script on the server, the name of which is fre.php by default
The login of the C&C panel looks like this:
The builder of LokiBot (at least a cracked version) looks like this:
Defensive measures
Since Betabot has most recently been used to serve up ransomware, a reminder of our tips on that front should be useful:
- To defend against ransomware in general, see our article How to stay protected against ransomware.
- To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
- To protect against misleading filenames, tell Explorer to show file extensions.
- To protect against VBA malware, tell Office not to allow macros in documents from the internet.
- To learn more about ransomware, listen to our Techknow podcast.
To protect against AKBuilder activities, simply applying recent patches for Microsoft Office should be enough to disarm the attack.
