The malware downloader BATLOADER has been observed abusing Google ADs to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity researchers, malicious ads are used to spoof a wide range of legitimate apps and services, such as Adobe, OpenAPI's ChatGPT, Spotify, Tableau, and Zoom. BATLOADER, as the name suggests, is a loader responsible for distributing next-stage malware such as information stealers, banking malware, Cobalt Strike, and even ransomware.
See: https://redskyalliance.org/xindustry/raccoon-vidar-stealers-at-it-again
If deployed on a single computer, BATLOADER will download and install banking malware and information stealers. If BATLOADER detects it is on a wider network, it will install remote monitoring and management malware. This gives an attacker control of your machine, allowing them to explore the network and carry out more actions. This method is guided by a person or group rather than by additional code.
One of the key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery. This is achieved by setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection sequence when a user searching for the software clicks a rogue AD on the Google search results page.
Once attackers fully control a PC or network, there is no need to install any more malware. To administer the system, they can use pre-existing software such as Windows PowerShell, scripting tools, and direct commands. This is known as a Living off the Land (LotL) attack.
These MSI installer files, when launched, execute Python scripts that contain the BATLOADER payload to retrieve the next-stage malware from a remote server. This modus operandi slightly shifts from the previous attack chains observed in December 2022, when the MSI installer packages were used to run PowerShell scripts to download the stealer malware.
Other BATLOADER samples have also revealed the malware's ability to establish entrenched enterprise network access. The development arrives amid a recent explosion of search engine Malvertising in response to Microsoft's decision to block macros in Office by default from files downloaded from the internet. "The threat actors are abusing Google's ad network by purchasing ad space for popular keywords and their associated typos," cybersecurity company Malwarebytes noted in July 2022.
BATLOADER continues to see changes and improvements since it first emerged in 2022. BATLOADER targets various popular applications for impersonation. This is no accident, as these applications are commonly found in business networks, and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard intrusions.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office at 1-844-492-7225 or feedback@redskyalliance. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments