A dangerous new malware loader with functionality to determine whether it is a business system or a personal computer has begun rapidly infecting systems around the world over the past few months.
VMware Carbon Black researchers are tracking the threat, dubbed BatLoader, and claim that its operators use the dropper to distribute a variety of malicious tools, including a banking Trojan, an information stealer, and the post toolkit. -Cobalt Strike exploit on victim systems. The threat actor’s tactic was to host the malware on compromised websites and lure users to these sites using search engine optimization (SEO) poisoning methods.
living off the land
BatLoader relies heavily on batch scripts and PowerShell to gain a foothold on a victim machine and download other malware onto it. It made the campaign difficult to detect and blockespecially in the early stages, analysts from VMware Carbon Black’s Managed Detection and Response (MDR) team said in a November 14 report.
VMware said its Carbon Black MDR team observed 43 successful infections in the past 90 days, in addition to numerous other failed attempts where a victim downloaded the initial infection file but did not run it. Nine of the victims were organizations in the business services sector, seven were financial services companies and five were in the manufacturing sector. Other victims included organizations in the education, retail, IT and healthcare sectors.
On Nov. 9, eSentire said its threat hunting team had observed the operator of BatLoader luring victims to websites posing as popular commercial software download pages such as LogMeIn, Zoom, TeamViewer and AnyDesk. The threat actor distributed links to these websites through advertisements that featured prominently in search engine results when users searched for one of these software products.
The security vendor said that in an incident in late October, an eSentire customer landed on a fake LogMeIn download page and downloaded a Windows installer that, among other things, profiles the system and uses information to retrieve a second stage payload.
“What makes BatLoader interesting is that it has built-in logic that determines whether the victim computer is a personal computer or a corporate computer,” says Keegan Keplinger, head of research and reporting at the eSentire TRU Research Team. “It then removes the appropriate type of malware for the situation.”
Selective payload delivery
For example, if BatLoader touches a personal computer, it downloads banking malware Ursnif and information stealer Vidar. If it comes across a domain- or corporate-owned computer, it downloads Cobalt Strike and the Syncro remote monitoring and management tool, in addition to the banking Trojan and information thief.
“If BatLoader lands on a personal computer, it will perform fraud, information theft, and banking payloads like Ursnif,” Keegan says. “If BatLoader detects that it is in an organizational environment, it will proceed with intrusion tools like Cobalt Strike and Syncro.”
Keegan says eSentire has observed “many” recent cyberattacks involving BatLoader. Most of the attacks are opportunistic and hit anyone looking for reliable and popular freeware tools.
“To show up in front of organizations, BatLoader leverages poison ads so that when employees search for trusted freeware, like LogMeIn and Zoom, they instead land on sites controlled by attackers providing BatLoader.”
Overlap with Conti, ZLoader
VMware Carbon Black said that while several aspects of the BatLoader campaign are unique, there are also several attack chain attributes that resemble the Conti ransomware operation.
The overlaps include an IP address that the Conti group used in a campaign exploiting the Log4j vulnerability, and use of a remote management tool called Atera that Conti used in previous operations.
In addition to similarities with Conti, BatLoader also has several overlaps with Zloader, a banking Trojan which appears to be derived from the early 2000s Zeus banking Trojan, the security vendor said. The biggest similarities include the use of SEO poisoning to lure victims to malware-laden websites, the use of Windows Installer to establish an initial foothold, and the use of PowerShell, batch scripts, and other native operating system binaries during the attack chain.
Mandiant was the first to report on BatLoader. In a blog post in February, the security vendor reported observing a malicious actor using the topics “installation of free productivity apps” and “installation of free software development tools” as SEO keywords to lure users to download sites.
“That first BatLoader compromise was the beginning of a multi-step chain of infection which allows attackers to gain a foothold in the target organization,” Mandiant said. The attackers used each step to set up the next phase of the attack chain using tools such as PowerShell, Msiexec.exe and Mshta.exe to evade detection.