Betabot
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The first encounter I had with this CVE in exploit kit, was in the Sweet Orange... already containing CVE-2014-6332... Sweet Orange firing CVE-2014-6332 and DarkShell Call back... Here a more "standard" Sweet Orange : CVE-2014-6332 fired by Sweet Orange - And Betabot call back... Neutrino Firing CVE-2014-6332... Archie... CVE-2014-6332... Flash EK firing CVE-2014-6332... NB : it's in RIG and Angler | Here a more "standard" Sweet Orange : CVE-2014-6332 fired by Sweet Orange - And Betabot call back. 2014-11-21
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...families of RATs and infostealers. These included Lokibot, Betabot, Formbook, and AgentTesla."
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"In a series of malspam campaigns dating back to November of 2019, an unidentified group sent out waves of installers that drop remote administration tool (RAT) and information stealing malware..."
Execution
2 techniquesThe first encounter I had with this CVE in exploit kit, was in the Sweet Orange... already containing CVE-2014-6332 ... Sweet Orange : The URL pattern are different... CVE-2014-6332 in Sweet Orange 2014-11-19
"...leverages concern about the global COVID-19 pandemic to convince victims to open the payloads."
Privilege Escalation
1 techniqueStealth
2 techniques"...sent out waves of installers..." and "presenting the installer as a 'banking confirmation.'"
Command and Control
1 techniqueDa Orangade firing CVE-2014-6332 and DarkShell Call back 2014-11-19 GET http://98.126.249 .92:82/index.html 200 OK (text/html) ... Here a more "standard" Sweet Orange : CVE-2014-6332 fired by Sweet Orange - And Betabot call back.
IOCs tracked for this family
106 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware used as a final payload delivered by NSIS installers; shares C2 infrastructure with other payload families in the same campaigns.
Malware observed calling back after delivery through the Sweet Orange exploit kit exploiting CVE-2014-6332.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.