MalwareUsed by 1 actorExploits 1 CVE

Betabot

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2014-6332Windows OLE Automation Array Remote Code Execution VulnerabilityExploited in the wild

The first encounter I had with this CVE in exploit kit, was in the Sweet Orange... already containing CVE-2014-6332... Sweet Orange firing CVE-2014-6332 and DarkShell Call back... Here a more "standard" Sweet Orange : CVE-2014-6332 fired by Sweet Orange - And Betabot call back... Neutrino Firing CVE-2014-6332... Archie... CVE-2014-6332... Flash EK firing CVE-2014-6332... NB : it's in RIG and Angler | Here a more "standard" Sweet Orange : CVE-2014-6332 fired by Sweet Orange - And Betabot call back. 2014-11-21

via malware dontneedcoffeemalware.dontneedcoffee.com

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

RATicate

"...families of RATs and infostealers. These included Lokibot, Betabot, Formbook, and AgentTesla."

via sophos threat researchnews.sophos.com

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence1

"In a series of malspam campaigns dating back to November of 2019, an unidentified group sent out waves of installers that drop remote administration tool (RAT) and information stealing malware..."

Execution

2 techniques

T1203Exploitation for Client ExecutionEvidence1

The first encounter I had with this CVE in exploit kit, was in the Sweet Orange... already containing CVE-2014-6332 ... Sweet Orange : The URL pattern are different... CVE-2014-6332 in Sweet Orange 2014-11-19

T1204User ExecutionEvidence1

"...leverages concern about the global COVID-19 pandemic to convince victims to open the payloads."

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

"After the decryption, shellcode3 injects the final payload in a child process."

Stealth

2 techniques

T1036MasqueradingEvidence1

"...sent out waves of installers..." and "presenting the installer as a 'banking confirmation.'"

T1055Process InjectionEvidence1

"After the decryption, shellcode3 injects the final payload in a child process."

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence2

Da Orangade firing CVE-2014-6332 and DarkShell Call back 2014-11-19 GET http://98.126.249 .92:82/index.html 200 OK (text/html) ... Here a more "standard" Sweet Orange : CVE-2014-6332 fired by Sweet Orange - And Betabot call back.

T1568.001Fast Flux DNSEvidence1

The story we are writing here will try to explain how, from a simple mistake made by an operator, we managed to collect and exploit a lot of precious information from a “Fast Flux” network called BraZZZerS Fast Flux between end of 2018 and 2022.

INDICATORS OF COMPROMISE

IOCs tracked for this family

106 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

100 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

uri●●●●●●●●●●●●View more in app5 years ago

uri●●●●●●●●●●●●View more in app6 years ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

medium csis techblogNews

Aug 8, 2022

An inside view of domain anonymization as-a-service - the BraZZZerSFF infrastructure | by Benoit ANCEL | CSIS TechBlog | Medium

Banking trojan family observed in BraZZZers logs.

sophos threat researchNews

May 14, 2020

RATicate: an attacker’s waves of information-stealing malware | SOPHOS

Information-stealing malware used as a final payload delivered by NSIS installers; shares C2 infrastructure with other payload families in the same campaigns.

malware dontneedcoffeeNews

Sep 28, 2014

CVE-2014-6332 (Internet Explorer) and Exploits Kits

Malware observed calling back after delivery through the Sweet Orange exploit kit exploiting CVE-2014-6332.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching106

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.