Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Researchers Flag-Up Dangerous BatLoader Malware Dropper!

Researchers Flag-Up Dangerous BatLoader Malware Dropper!

A dangerous new malware loader with features for determining whether it is on a business system, or a personal computer has begun rapidly infecting systems worldwide in recent months.

BatLoader has spread quicky in systems globally, tailoring payloads to its victims.

Malware Tools

Researchers at VMware Carbon Black are tracking the threat, dubbed BatLoader, & say its operators are using the dropper to distribute a variety of malware tools including a banking Trojan, an information stealer, & the ‘Cobalt Strike’ post-exploit toolkit on victim systems.

The threat player’s tactic has been to host the malware on compromised websites & lure users to those sites using search engine optimisation (SEO) poisoning methods.

‘Living Off the Land’

BatLoader relies heavily on batch & PowerShell scripts to gain an initial ‘foothold’ on a victim machine & to download other malware onto it. This has made the campaign hard to detect & block, especially in the early stages, analysts from VMware Carbon Black’s managed detection & response (MDR) team outlined in a report released on Nov. 14.

VMware briefed that its Carbon Black MDR team had observed 43 successful infections in the last 90 days, in addition to many other unsuccessful attempts where a victim downloaded the initial infection file but did not execute it. 9 of the victims were organisations in the business services sector, 7 were financial services companies, & 5 were in manufacturing.

Other victims included organisations in the education, retail, IT, & healthcare sectors.

Luring Victims

On Nov. 9, eSentire said its threat-hunting team had observed BatLoader’s operator luring victims to websites disguised as download pages for popular business software such as LogMeIn, Zoom, TeamViewer, & AnyDesk. The threat player distributed links to these websites via ads that showed up prominently in search engine results when users searched for any of these software products.

The security vendor said that in one Oct. incident, an eSentire customer arrived at a fake LogMeIn download page & downloaded a Windows installer that, among other things, profiles the system & uses the information to retrieve a 2nd-stage payload.

“What makes BatLoader interesting is that it has logic built into it that determines if the victim computer is a personal computer or a corporate computer,” states Keegan Keplinger, Research & Reporting lead with eSentire’s TRU research team. “It then drops the type of malware appropriate for the situation.”

Selective Payload Delivery

If BatLoader hits a personal computer, it downloads Ursnif banking malware & the Vidar information stealer. If it hits a domain-joined or corporate computer, it downloads Cobalt Strike & the Syncro remote monitoring & management tool, in addition to the banking Trojan & information stealer.

“If BatLoader lands on a personal computer, it will proceed with fraud, info stealing, & banking-based payloads like Ursnif,” Keegan says. “If BatLoader detects that it’s in an organisational environment, it will proceed with intrusion tools like Cobalt Strike & Syncro.”

Opportunistic

Keegan says eSentire has observed “a lot” of recent cyber-attacks involving BatLoader. Most of the attacks are opportunistic & hit anyone looking for trusted & popular free software tools.

“To get in front of organisations, BatLoader uses ‘poisoned’ ads so that when employees look for trusted free software, like LogMeIn and Zoom, they instead land on sites controlled by attackers, delivering BatLoader.”

Overlap to Conti & ZLoader

VMware Carbon Black reported that while there are several aspects of the BatLoader campaign that are unique, there are also attributes of the attack chain that have a resemblance with the Conti ransomware operation.

The overlaps include an IP address that the Conti group used in a campaign using the Log4j vulnerability, & the use of a remote management tool called Atera that Conti has used in previous operations.

Overlaps

In addition to the similarities with Conti, BatLoader also has several overlaps with Zloader, a banking Trojan that appears derived from the Zeus banking Trojan of the early 2000s, the security vendor outlined.

The biggest similarities there include the use of SEO ‘poisoning’ to lure victims to malware-laden websites, the use of Windows Installer for establishing an initial foothold & the use of PowerShell, batch scripts, & other native OS binaries during the attack chain.

Free Installation

Mandiant was the 1st to report on BatLoader. In a blog post in Feb., the security vendor reported observing a threat player using “free productivity apps installation” & “free software development tools installation” themes as SEO keywords to lure users to download sites.

“This initial BatLoader compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organisation,” Mandiant explained. The attackers used every stage to set up the next phase of the attack chain using tools such as PowerShell, Msiexec.exe, & Mshta.exe to evade detection.

 

SHARE ARTICLE