Ddos 
Infection chain – sample1.exe
A new report from Symantec Threat Hunter Team reveals that at least one affiliate of the RansomHub ransomware-as-a-service (RaaS) operation has begun using a new custom backdoor in their attacks. This malware, named Backdoor.Betruger, is described as “a rare example of a multi-function backdoor, seemingly developed specifically for use in carrying out ransomware attacks.”
According to the report, “At least one affiliate of the RansomHub ransomware-as-a-service (RaaS) has begun using a new custom backdoor in attacks.” This is a significant development, as most ransomware groups traditionally use living-off-the-land (LotL) techniques and public malware like Mimikatz and Cobalt Strike instead of deploying their own proprietary tools.
Betruger’s extensive functionality suggests it was developed to minimize the number of separate tools required for pre-ransomware activities. The backdoor is capable of:
- Screenshotting infected systems
- Keylogging user input
- Uploading files to a command and control (C&C) server
- Scanning networks for vulnerabilities
- Escalating privileges
- Dumping credentials for later use
The malware has been disguised under names such as mailer.exe and turbomailer.exe, though “the backdoor contains no mailing functionality”, indicating an effort to masquerade as a legitimate application to evade detection.
The RansomHub group, tracked by Symantec as Greenbottle, has seen rapid growth since its emergence in February 2024. By Q3 2024, it became the most prolific ransomware operation, surpassing other major players in the cybercrime landscape. Symantec attributes this success to RansomHub’s attractive revenue model, explaining that the group has “won over many affiliates by offering them better terms compared to rival operations.” Unlike traditional RaaS models where affiliates must first pay the operator, RansomHub’s payment structure allows affiliates to collect ransom payments first before passing on a share to the operator.
In addition to the Betruger backdoor, Symantec researchers found that RansomHub affiliates are leveraging a mix of Bring Your Own Vulnerable Driver (BYVOD) techniques and known exploits to gain initial access and disable security solutions. Some of the vulnerabilities exploited include:
- CVE-2022-24521 – Windows Privilege Escalation vulnerability
- CVE-2023-27532 – Veeam backup credential leak vulnerability
These exploits, combined with the Betruger backdoor, give attackers a powerful foothold in targeted environments before ransomware payload deployment.
Beyond Betruger, RansomHub affiliates have been seen using an array of tools, including:
- Impacket – A Python-based framework for remote service execution and credential manipulation
- Stowaway Proxy Tool – A publicly available tool for network traffic proxying
- Rclone – A cloud management tool often abused for data exfiltration
- ScreenConnect – A legitimate remote desktop application exploited for unauthorized access
- Mimikatz – A widely used credential dumping tool
- SystemBC – A commodity malware that opens a backdoor and uses SOCKS5 proxies for communication
- NetScan – A network scanner often used for host discovery
- Remote Monitoring Tools – Atera, Splashtop, and TightVNC, which attackers use for maintaining persistence
The presence of these tools, particularly Rclone and SystemBC, suggests that exfiltration and stealthy persistence are key priorities for RansomHub affiliate.
Related Posts:
- RansomHub: A New Ransomware-as-a-Service Threatens Multiple Operating Systems
- Zerologon Vulnerability Strikes Again: RansomHub Exploits Legacy Flaw
- Ransomware Threat Escalates as Scattered Spider and RansomHub Combine Forces
- Ransomhub’s SCADA Hack: A Wake-Up Call for Industrial Cybersecurity
- RansomHub’s EDR-Killer: How Zerologon and EDRKillShifter Exploit Networks Without Detection
💙 Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
PayPal