Betabot just started to deliver ransomware to victims, researchers said.
Before this latest iteration, Betabot was a banking information stealing Trojan, a password stealing Trojan, and a botnet, said researchers at Invincea.
Betabot is now a weaponized document with password stealing malware and is also a piece of ransomware.
The malware has virtual machine awareness and can check for some sandboxes, which helps it evade detection and analysis, said Patrick Belcher, senior director of threat research at Invincea in a blog post.
In terms of delivery to victims, Betabot hit users via the Neutrino exploit kit, Belcher said.
The campaign relies on weaponized documents delivered as email attachments, and on social engineering to trick users into enabling macros.
The attachments claim to be resumes, but once the malicious macros become enabled, malware capable of stealing all passwords stored in local browsers takes charge. The email campaign attempted to infect thousands of victims, Belcher notes.
Although Betabot does not really do much after stealing the password, a second stage attack then goes into play where malware deploys the Cerber ransomware on the endpoint. By taking this approach, the malware’s operators are looking to increase their profits, Belcher said.
A single IP (93[.]174.91.49) ends up used for Betabot and Cerber.