eSentire Threat Intelligence Malware Analysis: BatLoader

Since being introduced in February 2022, BatLoader is a malware dropper that has been observed dropping several well-known malware or malicious tools like ISFB, SystemBC RAT, Redline Stealer, and Vidar Stealer. Since its MSI installer file size is 100MB+, BatLoader can easily evade most sandboxes and antivirus tools.

This malware analysis delves deeper into the technical details of how the BatLoader malware operates and our security recommendations to protect your organization from being exploited.

Case Study BatLoader

In September 2022, eSentire TRU observed multiple BatLoader infections in Consumer Services, Retail, Telecommunications, and Non-Profit client environments. The initial infection starts with the user searching for installers such as Zoom, TeamViewer, AnyDesk, or FileZilla. The user navigates to the first advertisement displayed, which redirects the user to the website hosting the fake installer. The MSI installers are signed by “Kancelaria Adwokacka Adwokat Aleksandra Krzemińska” (Figures 1-2).

In October and November 2022, we observed the second BatLoader campaign pushing fake installers such as TeamViewer (Figure 3), AnyDesk and LogMeIn. The infections were observed in Insurance, Consulting, Healthcare, and Printing industries.

We also observed several C2 domains related to BatLoader campaigns:

• updatea1[.]com (first campaign)
• cloudupdatesss[.]com (first campaign)
• externalchecksso[.]com (second campaign)
• internalcheckssso[.]com (second campaign)

BatLoader Analysis (First Campaign)

BatLoader, named by Mandiant, is a malware dropper. The malware was first mentioned by Mandiant in February 2022. It’s worth noting that Mandiant mentioned the domain clouds222[.]com for the BatLoader campaign which also overlaps with the Zloader C2 domain.

eSentire TRU observed BatLoader dropping the following malware / malicious tools:

• ISFB
• SystemBC RAT
• Redline Stealer
• Vidar Stealer

The MSI installer file is over 100MB in size; the large file size is implemented by threat actor(s) to evade sandboxes and antivirus products. The properties of the BatLoader MSI installer are shown in Figure 5. Within the MSI file, we have found the components of NovaPDF 11 (Figure 6) and other garbage files shown in Figure 7. The files reside within the C:\Program Files (x86)\Softland\novaPDF 11\Tools path that is created after the malicious MSI is successfully run, we also found NordVPNSetup.exe dropped within the same path. We believe that the files mentioned are used as a decoy.

The main malicious trigger for the MSI installer resides under CustomAction table. Custom Actions are the operations defined by the user during installation or MSI execution. The malicious actor(s) create a custom action to run the malicious PowerShell inline script. The malicious script resides under AI_DATA_SETTER action name and contains the instructions to download the malicious update.bat file from the C2 domain and place it under AppData\Roaming folder (Figure 8). The PowerShell script is run via the PowerShell Core or pwsh.exe in a hidden window.

The downloaded update.bat file is responsible for downloading requestadmin.bat file and NirCmd.exe binary (Figure 9).

The requestadmin.bat is responsible for performing antivirus tampering – adding %APPDATA% and %USERPROFILE%\ paths to Windows Defender exclusion to prevent Defender from scanning the mentioned paths. The batch file was executed via nircmd.exe which was also downloaded from the C2; the utility allows the batch file to run in the background without displaying the user interface. Besides excluding the paths, the batch file also retrieves and executes the runanddelete.bat and scripttodo.ps1 scripts from the C2 via a native PowerShell command Invoke-WebRequest (Figure 10).

The scripttodo.ps1 installs the GnuPg, the software that encrypts and signs the data and communications as shown in Figure 11.

Further down, the script enumerates the current domain that the user is logged into, the username, and obtains all entries within the IPs starting with 192., 10., and .172 in the ARP cache table. Once it completes that task, it then checks the amount of IPs found in the ARP table and completes a sum operation.

• If the amount is less than 2 and the user domain is within WORKGROUP, the script will not proceed to further infection.
• If the number of IPs is greater than 2, the domain is not in WORKGROUP and does not contain the username, which satisfies all the conditions set in the script, then the full set of malware is retrieved from C2 (Figure 12).

The requests to the C2 server are performed in the following format:

If the mentioned conditions are not satisfied, the script retrieves the GPG-encrypted files:

• d2ef5.exe.gpg (encrypted Ursnif)
• p9d2s.exe.gpg (encrypted Vidar Stealer)

If all the conditions are met, the script retrieves the following files:

• d2ef5.exe.gpg (encrypted Ursnif)
• p9d2s.exe.gpg (encrypted Vidar Stealer)
• d655.dll.gpg (encrypted Cobalt Strike)
• f827.exe.gpg (encrypted Syncro RMM)
• shutdowni.bat

We were unable to retrieve the shutdowni.bat file but we believe the script might have been deployed to restart the host.

The GPG decryption routine was borrowed from the script hosted on GitHub (Figure 13). The script looks for files ending with gpg in %APPDATA% folder and decrypts them using the password 105b.

Moreover, the scripttodo.ps1 recursively removes the implementation of Windows Defender IOfficeAntiVirus under HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}. The IOfficeAntivirus component is responsible for detecting malicious or suspicious files downloaded from the Internet. It then adds the extensions such as exe and DLL as exclusions to Windows Defender. Additionally, the script downloads Nsudo.exe tool to be able to run files and programs with full privileges.

We have mentioned that besides scripttodo.ps1, the runanddelete.bat (Figure 14) file was retrieved. The batch file is responsible for running a malicious executable d2ef5.exe with administrator privileges by creating a VBS script getadmin.vbs under %TEMP% folder to run the binary, but first the user would get an alert prompt from User Account Control (UAC) to allow the program to make changes.

The Secrets of BatLoader

The binary d2ef5.exe is the ISFB banking malware also known as the successor of Gozi or Ursnif. The first Gozi variant was first discovered by SecureWorks in 2007 and is still active today, spreading through phishing emails and loaders. The Ursnif version we observed can exfiltrate browser credentials and cookies, Thunderbird and Outlook profiles, POP3, SMTP passwords. The strings “*terminal* *wallet* *bank* *banco*” were also observed which suggests that Ursnif is also capable of stealing cryptocurrency from digital wallets and banking credentials.

Upon execution, ISFB creates a persistence via Registry Run Keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The registry value VirtualStop (the registry values can be different based on the wordlist table hardcoded in the binary). The registry value contains the command that launches the shortcut (LNK) which contains powershell.exe in the relative path. The PowerShell starts the CollectMirrow.ps1 script under %USERPROFILE% folder bypassing the PowerShell’s execution policy.

The command execution example:

cmd /c start C:\Users\<username>\VirtualStop.lnk -ep unrestricted -file C:\Users\<username>\CollectMirrow.ps1

The CollectMirror.ps1 script contains the PowerShell one-liner (Figure 15) that pulls the written data from the registry under HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\<registry_value>>, specifically the TestMouse value (Figure 16).

The script performs process injection using the API such as OpenThread (to create a handle to an existing process), VirtualAlloc (memory allocation in the chosen process), and QueueUserAPC, the thread that the APC (Asynchronous Procedure Calls) is queued to has to enter an alertable state, this can be achieved by invoking SleepEx as shown in Figure 17.

We have observed ISFB injecting itself into a running explorer.exe process. The unpacked sample is approximately 540 KB (MD5: 3aaf34ffbe45e4f54b37392ad1afe9a5).

We have observed ISFB injecting itself into a running explorer.exe process. The unpacked sample is approximately 540 KB (MD5: 3aaf34ffbe45e4f54b37392ad1afe9a5). You can read the very well-written analyses by Daniel Bunce here and here, but we will cover the main basics of malware.

The payload locates the BSS section which is where the encrypted strings reside within the function shown in Figure 18 (the hex string 81 38 2E 62 73 73 contains ‘bss’).

The data stored in the BSS section is encoded as shown in Figure 19.

The decryption function is shown below, the decryption function can be represented as the following pseudocode:

The decryption function takes 4 bytes of the encrypted data in BSS at a time and converts them into an integer, then subtracts the key from the index value and adds to the DWORD value which is 4 bytes.

The decompiled code can be seen in Figure 21. The decryption function is thoroughly described by 0verfl0w (Daniel Bunce) here. Part of the key is derived from the division operations from the value retrieved from API call GetSystemTimeAsFileTime (retrieving system time). Another part of the key is embedded in our payload which is 0x81b8e7da. Applying the key to the decryption function (Figure 22) and part of the key derived from system time (which is 19) gave us the decrypted data (Figure 23).

The second decompressed data blob contains the following:

The third blob contains the wordlist values shown below:

These words are used to build the registry value names.

Another interesting feature of the ISFB is that it stores three embedded binaries within the unpacked payload. The binaries are compressed using APLib compression algorithm. The decompression function is shown in Figure 24.

To be able to locate the embedded compressed binaries, we need to find the structure of the ISFB payload where it stores the configuration. The configuration contains the payload marker or header, XOR key, CRC32 hash, the offset, and the size of each compressed binary (Figure 25). The payload marker defines the version of ISFB.

The compressed data is separated by the null bytes as shown in Figure 26. You can see something resembling C2 domains in the first blob.

We wrote a Python script to extract the compressed data and decompress them (Figure 27). The first compressed blob contains the RSA public key with the hash 0xe1285e64 (Figure 28).

ISFB also stores the configuration within the function that parses the payload header (Figure 29). The hash values are calculated by XORing the value 0x69b25f44 (known as g_CsCookie from the leaked code) with the values that match with CRC_CLIENT32 (again, from the leaked code).

The following are the hashes of the payload as a result of XORing:

The traffic beaconing contains the following pattern that will be encrypted with the AES key extracted from the compressed blob:

The example of the encrypted with AES-128 beacon, replacing + with _2B and / with _2F, the / are also being added:

Some interesting strings found:

Man-in-the-browser is another capability of Ursnif. You might have noticed strings such as “user_pref("network.http.spdy.enabled", false);”, “EnableSPDY3_0” and “--use-spdy=off --disable-http2”. Ursnif disables SPDY and HTTP/2 (successor of SPDY protocol) on the infected host. The protocols allow HTTP data compression to achieve minimal latency. With the protocol implementation, threat actor(s) might have to spend additional time attempting to modify and intercepting the web traffic.

We still see some remanences from the Ursnif DreamBot in ISFB v2 (file://c:\test\tor64.dll), which might suggest that the Tor communication capability is still possible.

Vidar Stealer, SystemBC, and Syncro RMM Agent

Upon successful infection, first, the host would reach out to the C2 and retrieve the DLLs (Dynamic Link Library) dependencies such as vcruntime140.dll, sqlite3.dll, softokn3.dll, nss3.dll, msvcp140.dll, mozglue.dll, freebl3.dll for the stealer to be able to extract credentials and cookies from browsers and to function properly. If you are interesting in understanding in more depth what each library is responsible for, you can review our blog on Mars Stealer.

The stealer then collects the credentials, host information, files, and screenshot and sends it over as a ZIP archive in a base64-encoded format as shown in Figure 30.

We are in the processing of completing a technical analysis of Vidar Stealer, which will be our next blog.

Syncro RMM is a Remote Monitoring and Management tool used to control and manage devices remotely. In the hands of a malicious actor, this tool can be used as a persistence mechanism and remote accessing.

SystemBC RAT also known as “socks5 backconnect system” (MD5: 8ea797eb1796df20d4bdcadf0264ad6c) is a malware that leverages SOCKS5 proxies to hide malicious traffic, it also has the capability of sending additional payloads to the hosts (Figure 31).

The RAT creates the mutex “wow64” with the “start” as an argument (“start” will also be used as an argument for the scheduled task command). If the mutex is not present – the RAT will reach out to the C2. The C2 configuration is shown below:

If the mutex is present on the host, the instruction would proceed further to check the integrity level of the current malicious process, then it compares to the value 1000 which is SECURITY_MANDATORY_LOW_RID (low integrity level, SID: S-1-16-0), this means the process is restricted and has limited write permissions.

• If the value is not equal to 1000, it proceeds with scheduled task creation, the task name is “wow64.exe”. The command to run the scheduled task every 2 minutes is start.
• If the value is equal to 1000, the RAT proceeds to communicate with the C2 (Figure 32).

SystemBC is capable of executing scripts and commands retrieved from C2 such as ps1, bat, vbs, and exe (Figure 33).

BatLoader Analysis (Second Campaign)

The second campaign we observed is slightly different than the first one. The MSI installer (MD5: 099483061f8321e70ce86c9991385f48) with the signature “Tax In Cloud sp. z o.o.” does not come with an embedded PowerShell script. Instead, the installer pushes “avolkov.exe” binary to the infected machine and creates the registry key containing the path of the dropped binary which is AppData/Local/ SetupProject1 (Figure 34).

The avolkov.exe binary (MD5: d41e0fee0ec6c2e3da56a6dcf53607da) utilizes libcurl 7.85.0 which enables the data transfer with URL syntax for protocols such as HTTP/HTTPS, FTP, DICT, SMTP, IMAP, POP3, LDAP, acting as a potential backdoor and loader. The binary has the C2 embedded inside the binary from where it retrieves the newtest.bat file (Figure 35). The batch script is responsible for pulling additional BatLoader payloads and scripts from C2 such as:

• requestadmin.bat
• nircmd.exe
• user.ps1
• checkav.ps1
• scripttodo.ps1

The requestadmin.bat (Figure 36) retrieved from the second campaign is different compared to the first campaign. The threat actor(s) made sure to add more paths and folders to Windows Defender exclusion including %TEMP% and C:\Windows\* as well as adding .ps1 (PowerShell) extension to the exclusion list.

We observed that the script retrieves NSudo and modifies Windows UAC prompt behavior by allowing administrators to perform operations without authentication or consent prompts:

• Disabling Windows Defender notifications,
• Disabling Task Manager,
• Disabling command prompt,
• Preventing users from accessing Windows registry tools,
• Disabling Run command,
• Modifying the display timeout (monitor powers off after 30 minutes) and sleep mode (on AC/battery power – goes to sleep after 3000 minutes (50 hours)).

The script also no longer pulls runanddelete.bat file from the C2.

The scripttodo.ps1 file still retrieves the same files from the C2, the Cobalt Strike payload (d655) was changed to a DLL instead of EXE and shutdowni.bat is no longer pulled from the C2.

user.ps1 (Figure 37) is similar to scriptodo.ps1 in terms of enumerating the current domain of the host, username, and ARP table.

• If all conditions are satisfied and the host has SID S-1-5-32-544 present (Group Name: BUILTIN\Administrators), the script outputs “YES”.
• If the conditions are not met and the host belongs to the workgroup, the script retrieves the Cobalt Strike payload named installv2.dll (MD5: 4a6898a4584fdfb34bbeefc77bc882c4) and runs it via rundll32.exe with an ordinal “SRANdomsrt”.

Interestingly enough, we have observed QakBot using the same ordinal name to run Cobalt Strike payloads.

Another new addition to BatLoader is the antivirus check script (checkav.ps1). The script checks the host against the list of antiviruses and sends it out to C2 server (Figure 38).

Later, threat actor(s) switched from externalchecksso[.]com to internalchecksso[.]com. The scripttodo.ps1 was also changed to ru.ps1 as well as the names for malicious binaries as shown in Figure 39.

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from continuous research and security incidents to create practical outcomes for our customers. We are taking a full-scale response approach to ongoing cybersecurity threats by deploying countermeasures, such as:

• Implementing threat detections and leveraging BlueSteel, our machine-learning powered PowerShell classifier, to identify malicious command execution and ensuring that eSentire has visibility and detections are in place across eSentire MDR for Endpoint and MDR for Network.

• Performing global threat hunts for indicators associated with BatLoader.

Our detection content is supported by investigation runbooks, ensuring our 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire's Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against BatLoader malware:

• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions

• Encouraging good cybersecurity hygiene among your users by using Phishing and Security Awareness Training (PSAT) when downloading software from the Internet.
• Encourage your employees to use password managers instead of using the password storage feature provided by web browsers.

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

• https://www.mandiant.com/resources/blog/seo-poisoning-batloader-atera
• https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
• https://raw.githubusercontent.com/adbertram/Random-PowerShell-Work/master/Security/GnuPg.psm1
• https://learn.microsoft.com/en-us/windows/win32/sync/asynchronous-procedure-calls?redirectedfrom=MSDN
• https://www.0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/
• https://www.0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/
• https://www.0ffset.net/reverse-engineering/challenge-1-gozi-string-crypto/
• https://research.openanalysis.net/config/python/yara/isfb/rm3/gozi/2022/10/06/isfb.html
• https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer
• https://www.secureworks.com/404?aspxerrorpath=/research/gozihttps:/www.secureworks.com/research/gozi
• https://owasp.org/www-community/attacks/Man-in-the-browser_attack

Indicators of Compromise

MITRE ATT&CK