Researchers are warning of a stealthy early access malware called BatLoader that relies on various persistence and anti-detection tactics and has been seen in dozens of attacks since July.
BatLoader, that was previously analyzed earlier this year Mandiant researchers have since seen VMware researchers in at least 43 infections that have primarily targeted enterprise services, financial services, manufacturing and education organizations, they said. Monday.
“BatLoader’s stealth and persistence is what made this malware stand out from the rest during its latest campaign,” according to VMware’s Bethany Hardin, Lavine Oluoch and Tatiana Vollbrecht. “Since this variant focuses on persistence, if it was able to successfully infect the host, it would be vital to perform the necessary analysis to completely remove the malware or restore it from a known backup” .
The threat actors behind BatLoader use search engine optimization (SEO) poisoning to lure users into downloading the malware from compromised sites using malicious Microsoft Windows Installer files. These files masquerade as legitimate software installers, such as those for Zoom, TeamViewer, or AnyDesk, but actually run a malicious PowerShell script. BatLoader writes these PowerShell scripts, along with batch scripts, to the \appdata\roaming directory to gain initial access to victim machines with the ultimate goal of delivering second-stage malware. VMware researchers observed infections that led to the deployment of the Ursnif/Gozi malware and Arkei/Vidar infostealer for example.
The malware uses a number of persistence and stealth tactics, leveraging legitimate tools such as the Syncro remote access tool and Atera remote control and management software to help maintain access to infected systems. Once on the victim system, the malware downloads command-line utilities, which can be used for administrative privileges, and downloads requestadmin.bat, which adds exclusions for Windows Defender as a way to circumvent security defenses.
Additionally, the malware uses a tool called Nsudo to complicate the fix. Nsudo is typically used to launch programs with elevated privileges, but actors use the tool to add various registry values, such as ConsentPromptBehaviorAdmin, Notification_Suppress, DisableTaskMgr, DisableCMD, and DisableRegistryTools, to the system configuration, which restricts access by users on the infected device, according to the researchers. .
Researchers with VMware and Mandiant said they also saw several BatLoader techniques that were similar to previous activities. linked to Conti ransomware campaigns. For example, the attack chain used an IP address previously used by Conti in a ransomware attack targeting the Log4j flaw. However, “this does not mean that Conti is responsible for BatLoader”, the researchers emphasize.
“Unaffiliated actors may be replicating the group’s techniques, particularly since the August 2021 Conti leaks,” they said. “Interestingly, Carbon Black’s MDR team and Threat Analysis Unit (TAU) did not find BatLoader being sold on the dark web. suggesting that this may be a campaign by a single actor/group and that not sold as a service.”
[ad_2]
Source link
