Malicious Payloads with Batloader Malware in 2022

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Trend Micro

Tracking of modular malware, Batloader by Trend Micro, discovered the malware was highly active in the fourth quarter of 2022, by a threat actor tracked as “Water Minyades.” Used for initial access "Batloader has been observed to drop several malware payloads, such as Ursnif, Vidar, Bumbleloader, RedLine Stealer, ZLoader, Cobalt Strike, and SmokeLoader. It can also drop legitimate remote management tools, such as Syncro and Atera." Batloader is also part of intrusion sets leading to the execution of Royal ransomware. Commonly Batloader campaigns target users seeking to download legitimate software and through search engine optimization (SEO) poisoning techniques, and luring victims onto the actors fictitious sites hosting a malicious payload.

The first stage payload uses MSI files and more frequently transitioned to obfuscated JavaScript files. Campaigns that used MSI files followed an infection chain using polyglot binaries and malicious scripts executed by MSHTA.exe. Capabilities exhibited by Batloader include the ability to stop security services like Windows Defender, host fingerprinting, and using "different techniques to attempt evading antivirus solutions, such as hyperinflating MSI file sizes for antivirus engines that have file size limits, using noticeably short modular scripts that can be hard to structurally detect, acquiring legitimate digital signatures for the MSI files, obfuscating scripts connecting to the Batloader command and control (C&C) servers, and abusing legitimate file sharing services to host malware payloads."

Starting in November 2022, the newer infection chain relied on JavaScript to download and execute a series of batch and PowerShell scripts dropping loaders, info-stealers, or remote management tools. Batloader campaigns were observed to have increased starting in September 2022 and peaked during the first week of December. The threat actors behind the campaign were keen on using holiday shopping themes as part of their social engineering lures.

Anvilogic Scenario:

• Malicious Software Download via MSI/JS

Anvilogic Use Cases:

• Wscript/Cscript Execution
• MSHTA.exe execution
• Executable Create Script Process

‍