Threat Management, Incident Response, Malware, TDR

Betabot trojan packed with anti-malware evasion tools

A banking trojan packing anti-malware evasion techniques that features an exhaustive blacklist of security software.

Cybereason researchers have spotted multiple Betabot, aka Neurevt, infections over the past few weeks and have noted the malware has now been packed with features that allow its operators to practically take over a victim’s machine to steal sensitive information, according to an Oct. 3 blog post.

“Other programs remove malware and bots that are already on a person’s machine, eliminating the competition with heuristic approaches that would put many security products to shame,” researchers said in the post.

“Betabot stands out because it implements all of these self-defense features and has an exhaustive blacklist of file and process names, product IDs, hashes and domains from major antivirus, security and virtualization companies.”

The malware has been active since late 2012and began as just a banking trojan but the most recent version include browsers form grabber, FTP and mail client stealer, banker modules, and running DDoS attacks.


The trojan also uses a USB infection module, Robust Userland Rootkit (x86/x64), arbitrary command execution via shell, the ability to download additional malware, persistence, and a crypto-currency miner module.

Betabot spreads by exploiting an 18-year-old zero-day vulnerability in the Equation Editor tool in Microsoft Office that wasn’t discovered and patched by Microsoft until 2017. Infections are spread via phishing campaigns which leverage social engineering to convince victims to download what appears to be a Word document email attachment.

The malware also uses interesting persistence techniques one of which was implemented via Windows Task Scheduler and was observed in some infections. Researchers also noted infections which used a simple registry Autorun.

The malware’s authors designed the souped-up trojan to operate in “paranoid mode” as it can detect security products running on a victim’s device and if it detects that it is running in a sandbox environment it will shut down the malware to prevent examination.

Those looking to prevent infection are advised to minimized their risks by avoiding to click links or download or open attachments from unknown sender, lookout for typos, and misspellings or other suspicious content in emails and attachments and to report any suspicious or abnormalities to IR or information security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.