Related Families: RansomHub
Verticals Targeted: Healthcare, Government, Critical Infrastructure
Executive Summary
A RansomHub affiliate has deployed a new multi-function backdoor, dubbed Betruger, in recent attacks, showcasing an innovative approach to streamline ransomware operations. This development signals an escalation in the group’s tactics, targeting critical infrastructure with a consolidated toolset designed to evade detection.
Key Takeaways
- Betruger, a custom backdoor, integrates multiple pre-ransomware functionalities, including keylogging, credential dumping, and privilege escalation, into a single executable.
- RansomHub affiliates exploit vulnerabilities such as CVE-2022-24521 and CVE-2023-27532 to deploy Betruger, targeting U.S. critical infrastructure sectors like healthcare and government.
- The backdoor masquerades as legitimate applications to blend into victim environments.
- Observed use of Bring Your Own Vulnerable Driver (BYOVD) techniques, such as EDRKillshifter, enhances the group’s ability to disable endpoint security solutions.
- Based on the discovery of this backdoor and an escalation in targeting of critical infrastructure entities, PolySwarm analysts classify RansomHub as an evolving threat and Betruger as an emerging threat.
What is Betruger?
The RansomHub RaaS operation has solidified its position as a dominant force in the ransomware landscape since emerging in February 2024. By Q3 2024, it claimed the highest number of attacks among ransomware groups, a feat driven by lucrative affiliate terms and a growing arsenal of tools. The latest addition, identified as Backdoor.Betruger, marks a significant evolution in their methodology. Unlike typical ransomware campaigns that lean on widely available tools like Cobalt Strike or Mimikatz, Betruger is a bespoke creation tailored for efficiency and stealth. Symantec reported on Betruger.
Betruger consolidates an array of capabilities typically spread across multiple tools. Technical analysis reveals it supports keylogging, network scanning, privilege escalation, credential dumping, screenshot capture, and file uploads to command-and-control (C2) servers. This all-in-one design minimizes the number of artifacts dropped on a victim’s network, reducing the attack’s footprint and complicating detection efforts. To further disguise its presence, the backdoor is deployed under filenames such as `mailer.exe` and `turbomailer.exe`, mimicking legitimate mailing applications despite lacking any such functionality.
The infection chain often begins with phishing or exploitation of known vulnerabilities. Notably, RansomHub affiliates have leveraged CVE-2022-24521, a Windows privilege escalation flaw, and CVE-2023-27532, a Veeam backup credential leak vulnerability, to gain initial access and escalate privileges. These exploits have been instrumental in targeting U.S. critical infrastructure, with healthcare, government, and other high-value sectors bearing the brunt of attacks. Beyond Betruger, affiliates employ advanced tactics like BYOVD, with tools such as EDRKillshifter disabling endpoint detection and response (EDR) solutions. Based on the discovery of this backdoor and an escalation in targeting of critical infrastructure entities, PolySwarm analysts classify RansomHub as an evolving threat and Betruger as an emerging threat.
IOCs
PolySwarm has a sample of Betruger.
ae7c31d4547dd293ba3fd3982b715c65d731ee07a9c1cc402234d8705c01dfca
You can use the following CLI command to search for all Betruger samples in our portal:
$ polyswarm link list -f Betruger
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
