Researchers are warning of a stealthy initial access malware called BatLoader that relies on various persistence and anti-detection tactics and has been seen in dozens of attacks since July.
BatLoader, which was previously analyzed earlier in the year by Mandiant researchers, has since been seen by VMware researchers in at least 43 infections that have primarily targeted business services, financial services, manufacturing and education organizations, they said on Monday.
“BatLoader’s stealth and persistence are what made this malware stand out from the rest during its latest campaign,” according to Bethany Hardin, Lavine Oluoch and Tatiana Vollbrecht, with VMware. “As this variant has a focus on persistence, if it was able to successfully infect the host, it would be vital to perform the necessary analysis to fully remove the malware or restore from a known good backup.”
The threat actors behind BatLoader use search engine optimization (SEO) poisoning to lure users to download the malware from compromised sites via malicious Microsoft Windows Installer files. These files are disguised as legitimate software installers - such as ones for Zoom, TeamViewer or AnyDesk - however, they actually execute malicious PowerShell script. BatLoader writes these PowerShell scripts, along with batch scripts, to the \appdata\roaming directory to gain initial access to gain a foothold on victim machines with the end goal of delivering second-stage malware. VMware researchers observed infections leading to the deployment of the Ursnif/Gozi malware and Arkei/Vidar infostealer, for instance.
The malware uses a number of persistence and stealth tactics, leveraging legitimate tools like the Syncro remote access tool and the Atera remote monitoring and management software in order to help maintain access to infected systems. Once on the victim system, the malware downloads command line utilities, which can be used for administrative privileges, and downloads requestadmin.bat, which adds exclusions for Windows Defender as a way to evade security defenses.
Additionally, the malware uses a tool called Nsudo to complicate remediation. Nsudo is typically used to launch programs with elevated privileges, but the actors use the tool to add various registry values - including ConsentPromptBehaviorAdmin, Notification_Suppress, DisableTaskMgr, DisableCMD and DisableRegistryTools - to the system configuration, which restricts user access on the infected device, said researchers.
Researchers with both VMware and Mandiant said they also saw several BatLoader techniques that were similar to previous activity linked to Conti ransomware campaigns. For instance, the attack chain used an IP address previously used by Conti in a ransomware attack targeting the Log4j flaw. However, “this is not to say that Conti is responsible for BatLoader,” stressed researchers.
“Unaffiliated actors may be replicating the techniques of the group, especially since the Conti Leaks of August 2021," they said. "Interestingly, Carbon Black’s MDR and Threat Analysis Unit (TAU) team did not find BatLoader being sold on the dark web, suggesting this may be a campaign by a single actor/group and not being sold as a service.”