Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
Common BATLOADER/DEV-0569 traits include:
This blog will focus on a recent activity cluster identified in mid-December 2022.
On December 16th, 2022, eSentire’s Security Operations Center responded to several BATLOADER infections impacting customers in the financial services and higher education sectors.
In both cases, BATLOADER was distributed via a lookalike website for WinRAR:
Figure 1 BATLOADER WinRAR lookalike page.
The download link leads to ads-check[.]com, which serves a 302 redirect to down[.]software. The latter responds with a MSI payload file masquerading as the WinRAR utility. Ads-check[.]com is used in multiple stages of BATLOADER’s infection chain to track infection sources and progress. The site uses a Russian language login panel:
Figure 2 Ads-check[.]com’s Russian-language admin panel.
The second website in the payload delivery chain, down[.]site contains JavaScript logic for displaying a greeting in either English or Russian based on the user’s browser preferences.
Figure 3 down[.]software JavaScript
According to available data on VirusTotal, the site has been active since late November 2022 and has delivered payloads impersonating WinRAR, Awesome Miner, uTorrent and LightShot.
Figure 4 VirusTotal records for down[.]software.
The initial payload (winrar-x64-611.msi) is a Microsoft Software Installer file created with Advanced Installer. The MSI file is configured to run on systems with at least 4GB of memory and an active Internet connection.
Figure 5 BATLOADER PowerShell scripts via Advanced Installer's Custom Actions
The installer file has 5 Custom Actions (above) which use PowerShell to fetch code from Hugging Face, an American AI company whose website offers a code repository for community projects:
Figure 6 PowerShell scripts hosted on Hugging Face.
The DownGPG Custom Action uses PowerShell to retrieve and execute a second PowerShell command. This command downloads and saves two encrypted payloads (Redline and Ursnif).
Figure 7 Custom Action PowerShell command “DownGPG”
The two payloads are hosted on the Bitbucket code repository. The “Downloads” field indicates both files have been downloaded thousands of times since December 1st (how many were legitimate victims is not known).
Figure 8 Secondary BATLOADER payloads hosted on BitBucket.
The DownOfficial Custom Action retrieves the Nsudo and WinRAR from their respective download sources. It saves both to the user’s AppData directory.
Figure 9 Custom Action PowerShell command “DownOfficial”
The Stup Custom Action is similar to “DownGPG” – it retrieves an encoded PowerShell command that connects to the ads-check[.]com C2 to likely signal infection start.
Figure 10 Custom Action PowerShell command “Stup"
Stup_1 sleeps then adds .rar, .cmd, .bat, .zip and .exe to Windows Defender exclusions for file extensions.
Figure 11 Custom Action PowerShell command “Stup_1"
Stup_2 excludes several paths and processes from Windows Defender. The process exclusion list includes the two payloads (Redline and Ursnif) and Explorer.exe process, which is likely a target for code injection for Ursnif.
Figure 12 Custom Action PowerShell command “Stup_2"
The Custom Action Final is a PowerShell script that most closely resembles past BATLOADER scripts. It contains the function to install GPG4Win as well as encryption and decryption functions. These functions are seemingly identical to past BATLOADER scripts and was likely copied from the GitHub repository.
Figure 13 Custom Action PowerShell script “Final"
The end section of this PowerShell script is noticeably different than other examples seen since September 2022. This section calls the above functions to install GnuPG to AppData, decrypts the payloads using the password ‘putingod’, and executes the two unencrypted payloads with elevated privileges using Nsudo. Finally, it calls home to the ads-check[.]com C2 (likely to record the install).
Figure 14 Bottom section of PowerShell script from "Final" Custom Action.
Noticeably, this version of BATLOADER is missing the various commands to customize payloads based on conditions such as whether the system is domain-joined and if the ARP table contains a certain number of private addresses (Figure 15).
This behavior was observed in past infections dating to September 2022 and was absent from the December activity.
Figure 15 PowerShell script snippet from September 2022 BATLOADER infection.
Both payloads were gpg-encrypted using the password “putingod”.
ZipCosdaz.exe (4a57cbce13def4a4d9f7bccc49a8af52) is a .NET loader that retrieves Redline Stealer from 193.56.146.114/pdfbuild.exe. Redline connects to C2 Address 193.56.146[.]114:44271.
Figure 16 Snippet from .NET Loader "ZipCosdaz.exe"
ZipCosdaz1.exe (c03be50c6fbfd3aec108a7bcd7aaea82) is a loader for Ursnif malware. It stages HTA/PowerShell commands in HKCU\\Software\AppDataLow\Software\Microsoft\{GUID} and injects into Explorer.exe process using PowerShell.
This is the isfb_v2.14+ variant configured to connect to the following C2 domains:
45.11.182.97
79.132.128.108
91.241.93.98
79.132.128.109
91.242.217.28
91.241.93.111
Memory strings include basic living-off-the-land discovery commands common with precursor threats. It should be noted that this variant is not RM3/LDR4, which is suspected to be a precursor for ransomware attacks.
Figure 17 Snippet of Ursnif memory strings
Indicator | Note |
winrar[.]software/index-install[.]html | Fake WinRAR download for BATLOADER |
ads-check[.]com | BATLOADER C2 |
down[.]software | BATLOADER Payload Hosting |
04d77db9b7c18444b3bd50ee1b99c11c | BATLOADER Payload “winrar-x64-611.msi” |
huggingface[.]co/assop875/news/ | Code repo containing BATLOADER PowerShell |
bitbucket[.]org/ganhack123/load/downloads/ZipCosdaz1.exe.gpg | Encrypted Ursnif Download |
bitbucket[.]org/ganhack123/load/downloads/ZipCosdaz.exe.gpg | Encrypted Redline Download |
4a57cbce13def4a4d9f7bccc49a8af52 | “ZipCosdaz.exe” Redline |
c03be50c6fbfd3aec108a7bcd7aaea82 | “ZipCosdaz1.exe” Ursnif |
70c8ba4cb07d29019a35a248b5647a14 | Unpacked Ursnif Payload |
3c24d4cda44e9f3156d62986a4998bdf | Redline Payload |
193.56.146.114/pdfbuild.exe | Redline Payload Hosting |
193.56.146.114 | Redline C2 |
45.11.182.97 | Ursnif C2 |
79.132.128.108 | Ursnif C2 |
91.241.93.98 | Ursnif C2 |
79.132.128.109 | Ursnif C2 |
91.242.217.28 | Ursnif C2 |
91.241.93.111 | Ursnif C2 |
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.