Recently, the cybersecurity researchers at eSentire have identified a shady piece of malware downloader, BatLoader, that has been engaged in a wicked campaign of exploiting Google Ads to distribute malicious secondary payloads such as:-
- Vidar Stealer
- Ursnif
In this ongoing operation, there is a large variety of legitimate apps and newly registered websites that have been spoofed by malicious ads, including:-
- ChatGPT (chatgpt-t[.]com)
- Zoom (zoomvideor[.]com)
- Spotify (spotify-uss[.]com)
- Tableau (tableau-r[.]com)
- Adobe (adobe-l[.]com)
As part of its designated tasks as a loader, BatLoader distributes malware such as the following we have mentioned below:-
- Information stealers
- Banking malware
- Cobalt Strike
- Ransomware
From the beginning of its existence in 2022, BatLoader has seen constant changes and improvement. While for malware delivery, BatLoader practices software impersonation tactics, and it’s one of its key characteristics.
Python Loader and Files of BatLoader
A code injection attack against one of eSentire’s manufacturing clients was successfully prevented in February 2023 using the MDR for Endpoint. By doing so, Ursnif malware was prevented from posing a threat.
There was an advertisement above the search results page where the user clicked on the ad and was taken to an intermediary website “(adolbe[.]website) to adobe-e[.]com” masquerading as Adobe Acrobat Reader, which was a webpage.
A hidden window was opened in this instance which had the privilege to run a batch file embedded in it with administrative privileges. The following are the actions that are performed by the batch file:-
- A setup binary is included to install Python 3.9.9.
- Installs the pywin32 and wmi packages using pip.
- Using PowerShell, unpack the compressed OpenSSL library files into numerous locations.
- After a short timeout, two Python files are started sequentially.
There were two Python files included in the package in this case, and here they are mentioned below:-
- framework.py
- frameworkb.py
This script utilizes BatLoader’s instructions set to enable it to be inserted into Stack Overflow’s main function.
As a result of running the code, a series of Windows commands are executed with control.exe.enc retrieving an encrypted payload.
C2 Domains Involved
The malware can also establish entrenched access to enterprise networks based on other BATLOADER samples analyzed by eSentire. Here below we have mentioned all the C2 domains involved:-
- uelcoskdi[.]ru
- iujdhsndjfks[.]ru
- isoridkf[.]ru
- gameindikdowd[.]ru
- jhgfdlkjhaoiu[.]su
- reggy506[.]ru
- reggy914[.]ru
Here below we have mentioned all the recommendations offered by the cybersecurity analysts:-
- Raise awareness and educate the public about malware that masquerades as legitimate applications and tries to steal their identities.
- Implement an effective PSAT program.
- Always use a robust antivirus system.
- Make sure that the antivirus signatures are up-to-date.
- Use a Next-Gen AV or Endpoint Detection and Response (EDR) product.
- Always use complex and unused passwords.
- Make sure to implement two-factor authentication.
Go to Source
Author: Guru
