Pyarmor Pro Shields Batloader for Stealthier Intrusions

Category: Malware Campaign | Industry: Global | Source: Trend Micro

The Batloader initial access malware has been meticulously honed by threat actors tracked as Water Minyades, forming a seamless kill chain that thrives on stealth. According to Trend Micro's report, the malware developers have incorporated Pyarmor Pro to obfuscate the latest versions of Batloader. Junestherry Dela Cruz, a threat analyst at Trend Micro explains, "Water Minyades had been using Pyarmor since December 2022, likely since many antivirus engines lack an unpacker engine for Pyarmor (even the non-pro variant), making it difficult to detect these kinds of scripts." Batloader's attack chain emphasizes on stealth through the use of Windows Installer package (msi) files, the Windows command-line interface (cmd), and batch files to launch their attack.

A sample intrusion shared in Trend Micro's report reveals the integration of Python scripts and libraries reinforced with Pyarmor Pro, streamlining the execution of Batloader malware. Once these scripts are executed, the compromised host is enumerated using native Windows tools like arp and the WMI command-line (WMIC) tool. Subsequently, the captured data is transmitted to the attacker's command and control (C&C) server. After the initial breach, Batloader can facilitate the installation of main malware payloads, including information-stealing malware or remote access trojans (RATs) like Ursnif, Vidar, or Redline Stealer. However, Trend Micro warns that the threat of the initial access malware can lead to more dangerous ransomware deployment, namely from its association with the Royal and BlackSuit ransomware gangs.