Ransomware attacks continue to evolve, with threat actors constantly seeking new ways to compromise systems and maximize their impact. A recent discovery highlights the sophistication of these attacks, revealing the use of a novel multi-function backdoor named Betruger by the RansomHub ransomware-as-a-service (RaaS) operation.
Betruger: A Multi-Functional Backdoor for Ransomware Deployment
Security researchers at Symantec have identified Betruger, a custom-built backdoor, deployed in several recent ransomware attacks linked to a RansomHub affiliate. Symantec describes Betruger Backdoor as a “rare example of a multi-function backdoor,” designed to streamline the ransomware deployment process.
Its capabilities are extensive, encompassing key functionalities often found in tools used before ransomware payload delivery. These include:
- Keylogging
- Network scanning
- Privilege escalation
- Credential dumping
- Screenshotting
- File uploading to a command and control (C2) server
The strategic integration of these features within a single backdoor minimizes the need for multiple tools during an attack, making it more efficient and less detectable.
As Symantec’s Threat Hunter Team noted, “The functionality of Betruger indicates that it may have been developed in order to minimize the number of new tools dropped on a targeted network while a ransomware attack is being prepared.”
This approach contrasts with the typical reliance on readily available tools or “living off the land” techniques employed by many ransomware groups.
“The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks. Most attackers rely on legitimate tools, living off the land, and publicly available malware such as Mimikatz and Cobalt Strike,” the team added.
The attackers cleverly disguise Betruger Backdoor using filenames like ‘mailer.exe’ and ‘turbomailer.exe’, mimicking legitimate mailing applications to evade detection.
RansomHub’s History and High-Profile Victims
The RansomHub RaaS operation (formerly known as Cyclops and Knight), active since February 2024, has a history of data-theft-based extortion rather than solely focusing on data encryption. The group has targeted numerous high-profile victims, including:
- Halliburton
- Christie’s
- Frontier Communications
- Rite Aid
- Kawasaki’s EU division
- Planned Parenthood
- Bologna Football Club
RansomHub’s notoriety further increased after leaking data stolen from Change Healthcare following the BlackCat/ALPHV ransomware operation’s exit scam – a significant healthcare breach impacting over 190 million individuals. More recently, they claimed responsibility for the breach of BayMark Health Services, a major addiction treatment provider in North America.
The FBI reported that RansomHub affiliates compromised over 200 victims across various critical US infrastructure sectors (government, critical infrastructure, and healthcare) until August 2024.
The emergence of Betruger Backdoor highlights the continuous evolution of ransomware tactics. The use of sophisticated, multi-functional backdoors like Betruger underscores the need for robust security measures and proactive threat detection to mitigate the risks posed by advanced ransomware attacks. Organizations must remain vigilant and adapt their security strategies to counter these evolving threats.
