HQ/EMEAFind out how we can help your business
A newly identified custom backdoor dubbed Betruger has been deployed in several recent ransomware attacks. Reports revealed that one RansomHub ransomware-as-a-service (RaaS) operation affiliate utilised this new malicious payload.
Researchers stated that the new malware is a unique multi-function backdoor that hackers developed for ransomware operations.
Some of the malware’s confirmed capabilities overlap with features commonly found in malicious tools dropped before deploying ransomware payloads. These abilities include keylogging, network scanning, privilege escalation, credential dumping, screenshotting, and uploading files to a C2 server.
Betruger is a backdoor that prevents other malicious tools from interrupting its operator’s ransomware activity.
According to investigations, the Betruger backdoor’s functionality is allegedly designed to reduce the number of new tools placed on a targeted network while a RansomHub ransomware attack is being operated.
Other than encrypting payloads, ransomware campaigns rarely involve the indicated malware. Moreover, most attackers use legitimate tools, live off the land, and use publicly available malware such as Mimikatz and Cobalt Strike.
The backdoor developers use filenames like ‘mailer.exe’ and ‘turbomailer.exe’ to disguise the Betruger backdoor as an accurate mailing-related tool. However, other ransomware gangs have also created specialised harmful tools primarily intended to help exfiltrate sensitive data from victims’ compromised systems.
Such programs include BlackMatter’s Exmatter stealer and BlackByte’s Exbyte data theft tool, which transfer stolen files to the Mega.co.nz cloud storage site.
The RansomHub ransomware-as-a-service (RaaS) operation first appeared over a year ago, in February 2024. It has been related to data theft-based extortion rather than encrypting data on compromised systems.
Since its inception, the ransomware gang has claimed several high-profile victims, including oil services giant Halliburton, Christie’s auction house, US telecom provider Frontier Communications, and the Planned Parenthood sexual health nonprofit.
This ransomware group continues to improve its attack capabilities and malicious tools to increase the number of successful operations. Experts expect the RansomHub ransomware gang to continue its streak since it keeps adding new weapons to its arsenal, like the Betruger backdoor.
