What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Jan 19, 2023
Increased Activity in Google Ads Distributing Information Stealers
THE THREAT On January 18th, 2023, eSentire Threat Intelligence identified multiple reports, both externally and internally, containing information on an ongoing increase in Google advertisements…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Dec 13, 2022
eSentire Named First Managed Detection and Response Partner by Global Insurance Provider Coalition
Waterloo, ON – December 13, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced it has been named the first global MDR partner by Coalition, the world’s first Active Insurance provider designed to prevent digital risk before it strikes. Like Coalition, eSentire is committed to putting their customers’ businesses ahead of disruption by improving their…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Dec 28, 2022

TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU)

Recent BATLOADER Activity Observed in December 2022

7 minutes read
Speak With A Security Expert Now

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Common BATLOADER/DEV-0569 traits include:

This blog will focus on a recent activity cluster identified in mid-December 2022.

Recent BATLOADER Activity

On December 16th, 2022, eSentire’s Security Operations Center responded to several BATLOADER infections impacting customers in the financial services and higher education sectors.

In both cases, BATLOADER was distributed via a lookalike website for WinRAR:

Figure 1 BATLOADER WinRAR lookalike page.

The download link leads to ads-check[.]com, which serves a 302 redirect to down[.]software. The latter responds with a MSI payload file masquerading as the WinRAR utility. Ads-check[.]com is used in multiple stages of BATLOADER’s infection chain to track infection sources and progress. The site uses a Russian language login panel:

Figure 2 Ads-check[.]com’s Russian-language admin panel.

The second website in the payload delivery chain, down[.]site contains JavaScript logic for displaying a greeting in either English or Russian based on the user’s browser preferences.

Figure 3 down[.]software JavaScript

According to available data on VirusTotal, the site has been active since late November 2022 and has delivered payloads impersonating WinRAR, Awesome Miner, uTorrent and LightShot.

Figure 4 VirusTotal records for down[.]software.

The initial payload (winrar-x64-611.msi) is a Microsoft Software Installer file created with Advanced Installer. The MSI file is configured to run on systems with at least 4GB of memory and an active Internet connection.

Figure 5 BATLOADER PowerShell scripts via Advanced Installer's Custom Actions

The installer file has 5 Custom Actions (above) which use PowerShell to fetch code from Hugging Face, an American AI company whose website offers a code repository for community projects:

Figure 6 PowerShell scripts hosted on Hugging Face.

The DownGPG Custom Action uses PowerShell to retrieve and execute a second PowerShell command. This command downloads and saves two encrypted payloads (Redline and Ursnif).

Figure 7 Custom Action PowerShell command “DownGPG”

The two payloads are hosted on the Bitbucket code repository. The “Downloads” field indicates both files have been downloaded thousands of times since December 1st (how many were legitimate victims is not known).

Figure 8 Secondary BATLOADER payloads hosted on BitBucket.

The DownOfficial Custom Action retrieves the Nsudo and WinRAR from their respective download sources. It saves both to the user’s AppData directory.

Figure 9 Custom Action PowerShell command “DownOfficial”

The Stup Custom Action is similar to “DownGPG” – it retrieves an encoded PowerShell command that connects to the ads-check[.]com C2 to likely signal infection start.

Figure 10 Custom Action PowerShell command “Stup"

Stup_1 sleeps then adds .rar, .cmd, .bat, .zip and .exe to Windows Defender exclusions for file extensions.

Figure 11 Custom Action PowerShell command “Stup_1"

Stup_2 excludes several paths and processes from Windows Defender. The process exclusion list includes the two payloads (Redline and Ursnif) and Explorer.exe process, which is likely a target for code injection for Ursnif.

Figure 12 Custom Action PowerShell command “Stup_2"

The Custom Action Final is a PowerShell script that most closely resembles past BATLOADER scripts. It contains the function to install GPG4Win as well as encryption and decryption functions. These functions are seemingly identical to past BATLOADER scripts and was likely copied from the GitHub repository.

Figure 13 Custom Action PowerShell script “Final"

The end section of this PowerShell script is noticeably different than other examples seen since September 2022. This section calls the above functions to install GnuPG to AppData, decrypts the payloads using the password ‘putingod’, and executes the two unencrypted payloads with elevated privileges using Nsudo. Finally, it calls home to the ads-check[.]com C2 (likely to record the install).

Figure 14 Bottom section of PowerShell script from "Final" Custom Action.

Noticeably, this version of BATLOADER is missing the various commands to customize payloads based on conditions such as whether the system is domain-joined and if the ARP table contains a certain number of private addresses (Figure 15).

This behavior was observed in past infections dating to September 2022 and was absent from the December activity.

Figure 15 PowerShell script snippet from September 2022 BATLOADER infection.

Decrypted Payloads

Both payloads were gpg-encrypted using the password “putingod”.

ZipCosdaz.exe (4a57cbce13def4a4d9f7bccc49a8af52) is a .NET loader that retrieves Redline Stealer from 193.56.146.114/pdfbuild.exe. Redline connects to C2 Address 193.56.146[.]114:44271.

Figure 16 Snippet from .NET Loader "ZipCosdaz.exe"

ZipCosdaz1.exe (c03be50c6fbfd3aec108a7bcd7aaea82) is a loader for Ursnif malware. It stages HTA/PowerShell commands in HKCU\\Software\AppDataLow\Software\Microsoft\{GUID} and injects into Explorer.exe process using PowerShell.

This is the isfb_v2.14+ variant configured to connect to the following C2 domains:

45.11.182.97
79.132.128.108
91.241.93.98
79.132.128.109
91.242.217.28
91.241.93.111

Memory strings include basic living-off-the-land discovery commands common with precursor threats. It should be noted that this variant is not RM3/LDR4, which is suspected to be a precursor for ransomware attacks.

Figure 17 Snippet of Ursnif memory strings

How did we find it?

What did we do?

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

Indicator Note
winrar[.]software/index-install[.]html Fake WinRAR download for BATLOADER
ads-check[.]com BATLOADER C2
down[.]software BATLOADER Payload Hosting
04d77db9b7c18444b3bd50ee1b99c11c BATLOADER Payload “winrar-x64-611.msi”
huggingface[.]co/assop875/news/ Code repo containing BATLOADER PowerShell
bitbucket[.]org/ganhack123/load/downloads/ZipCosdaz1.exe.gpg Encrypted Ursnif Download
bitbucket[.]org/ganhack123/load/downloads/ZipCosdaz.exe.gpg Encrypted Redline Download
4a57cbce13def4a4d9f7bccc49a8af52 “ZipCosdaz.exe” Redline
c03be50c6fbfd3aec108a7bcd7aaea82 “ZipCosdaz1.exe” Ursnif
70c8ba4cb07d29019a35a248b5647a14 Unpacked Ursnif Payload
3c24d4cda44e9f3156d62986a4998bdf Redline Payload
193.56.146.114/pdfbuild.exe Redline Payload Hosting
193.56.146.114 Redline C2
45.11.182.97 Ursnif C2
79.132.128.108 Ursnif C2
91.241.93.98 Ursnif C2
79.132.128.109 Ursnif C2
91.242.217.28 Ursnif C2
91.241.93.111 Ursnif C2


eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

View Most Recent Blogs
eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.