Recently, the cybersecurity researchers at eSentire have identified a shady piece of malware downloader, BatLoader, that has been engaged in a wicked campaign of exploiting Google Ads to distribute malicious secondary payloads such as:-
- Vidar Stealer
In this ongoing operation, there is a large variety of legitimate apps and newly registered websites that have been spoofed by malicious ads, including:-
- ChatGPT (chatgpt-t[.]com)
- Zoom (zoomvideor[.]com)
- Spotify (spotify-uss[.]com)
- Tableau (tableau-r[.]com)
- Adobe (adobe-l[.]com)
As part of its designated tasks as a loader, BatLoader distributes malware such as the following we have mentioned below:-
- Information stealers
- Banking malware
- Cobalt Strike
From the beginning of its existence in 2022, BatLoader has seen constant changes and improvement. While for malware delivery, BatLoader practices software impersonation tactics, and it’s one of its key characteristics.
Python Loader and Files of BatLoader
A code injection attack against one of eSentire’s manufacturing clients was successfully prevented in February 2023 using the MDR for Endpoint. By doing so, Ursnif malware was prevented from posing a threat.
In order to determine the root cause of the infection, researchers conducted an investigation. They found out that it was triggered by the victim user accessing a Google search result for an Adobe Reader product.
There was an advertisement above the search results page where the user clicked on the ad and was taken to an intermediary website “(adolbe[.]website) to adobe-e[.]com” masquerading as Adobe Acrobat Reader, which was a webpage.
Consequently, BatLoader’s Windows Installer file “AdobeSetup.msi” was downloaded and executed unknowingly by the user. There are custom actions included in the MSI file that can be executed in order to perform a variety of tasks.
A hidden window was opened in this instance which had the privilege to run a batch file embedded in it with administrative privileges. The following are the actions that are performed by the batch file:-
- A setup binary is included to install Python 3.9.9.
- Installs the pywin32 and wmi packages using pip.
- Using PowerShell, unpack the compressed OpenSSL library files into numerous locations.
- After a short timeout, two Python files are started sequentially.
There were two Python files included in the package in this case, and here they are mentioned below:-
In order to unpack these files, the PyArmor-Unpacker program is required as they were protected with PyArmor. As a template for executing Python code with elevated privileges, the files use code copied from a Stack Overflow question.
This script utilizes BatLoader’s instructions set to enable it to be inserted into Stack Overflow’s main function.
As a result of running the code, a series of Windows commands are executed with control.exe.enc retrieving an encrypted payload.
Compared to the previous attack chains followed in December 2022, this modus operandi represents a slight shift in attack strategy. To download the stealer malware, PowerShell scripts were run via the MSI installer packages at the time.
C2 Domains Involved
The malware can also establish entrenched access to enterprise networks based on other BATLOADER samples analyzed by eSentire. Here below we have mentioned all the C2 domains involved:-
Here below we have mentioned all the recommendations offered by the cybersecurity analysts:-
- Raise awareness and educate the public about malware that masquerades as legitimate applications and tries to steal their identities.
- Implement an effective PSAT program.
- Always use a robust antivirus system.
- Make sure that the antivirus signatures are up-to-date.
- Use a Next-Gen AV or Endpoint Detection and Response (EDR) product.
- Always use complex and unused passwords.
- Make sure to implement two-factor authentication.
Network Security Checklist – Download Free E-Book