Check Point Threat Alert: AAEH/Beebone

Overview

AAEH, also known as BeeBone, is a family of polymorphic downloaders created with the primary purpose of downloading other malware, including password stealers, rootkits, fake antivirus, and ransomware. AAEH is often propagated across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files. Other aliases include VObfus, VBObfus, and Changeup. The polymorphic malware has the ability to change its form with every infection. Once installed, it morphs every few hours and rapidly spreads across the network. More than two million unique samples have been detected. AAEH/Beebone has been used to download other malware families, such as Zeus, Cryptolocker, Necrus, and ZeroAccess rootkits and Cutwail Spambots.

A system infected with AAEH /Beebone may be employed to distribute malicious software, harvest users’ credentials for online services (including banking services), and extort money from users by encrypting key files and then demanding payment to return the files to a readable state. AAEH /Beebone is capable of defeating antivirus products by blocking connections to IP addresses associated with Internet security companies and by preventing antivirus tools from running on infected machines.

Update

On April 8, 2015, a joint operation between Europol, the Dutch authorities and the FBI targeted the AAEH/Beebone botnet to take it down. The botnet was ‘sinkholed’ by registering, suspending or seizing all domain names with which the malware could communicate and then redirect traffic.

Recommendations

Check Point Anti-Bot blade includes relevant signatures and indicators under the name Beebone. These signatures and indicators were first introduced in October 2013. If Check Point customers see logs of the botnet’s communication, note that the botnet is not functioning and its domains are down.

However, as this malware prevents the infected host from communicating with security vendors’ web sites, we highly recommend removal of the implants from infected machines. Several remediation tools are available on Shadowserver.

References

US-CERT technical alert TA15-098A: https://www.us-cert.gov/ncas/alerts/TA15-098A

Shadowserver: https://aaeh.shadowserver.org/

Europol: https://www.europol.europa.eu/content/international-police-operation-targets-polymorphic-beebone-botnet

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Check Point is 100% Channel. Grow Your Business with Us!

See how use cases come to life through Check Point's customer stories.

Check Point Threat Alert: AAEH/Beebone

You may also like

The Rise of the Code Package Threat

Amid vaccine mandates, fake vaccine certificates become a full blown industry

How scammers are hiding their phishing trips in public clouds

Democracy Under Attack: Summarizing the Elections Threat Landscape