Dangerous BatLoader Malware Dropper

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://www.darkreading.com/attacks-breaches/researchers-alarm-batloader-malware-dropper
Researchers at VMware Carbon Black are tracking the threat, dubbed BatLoader, and say its operators are using the dropper to distribute a variety of malware tools including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. The threat actor's tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimization (SEO) poisoning methods.
Click to expand...
BatLoader relies heavily on batch and PowerShell scripts to gain an initial foothold on a victim machine and to download other malware onto it. This has made the campaign hard to detect and block, especially in the early stages, analysts from VMware Carbon Black's managed detection and response (MDR) team said in a report released on Nov. 14.

VMware said its Carbon Black MDR team had observed 43 successful infections in the last 90 days, in addition to numerous other unsuccessful attempts where a victim downloaded the initial infection file but did not execute it. Nine of the victims were organizations in the business services sector, seven were financial services companies, and five were in manufacturing. Other victims included organizations in the education, retail, IT, and healthcare sectors.

On Nov. 9, eSentire said its threat-hunting team had observed BatLoader's operator luring victims to websites masquerading as download pages for popular business software such as LogMeIn, Zoom, TeamViewer, and AnyDesk. The threat actor distributed links to these websites via ads that showed up prominently in search engine results when users searched for any of these software products.
Click to expand...
Researchers Sound Alarm on Dangerous BatLoader Malware Dropper
 
  • Like
  • +Reputation
  • Thanks
Reactions: Trident, [correlate], Mercenary and 10 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,148
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif.

According to cybersecurity company eSentire, the malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, Spotify, Tableau, and Zoom.
Click to expand...
thehackernews.com

BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads

Malware downloader BATLOADER has been found abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif.
thehackernews.com thehackernews.com

www.esentire.com

BatLoader Continues to Abuse Google Search Ads to Deliver Vidar…

Learn more about the BatLoader malware, how we detected the attack, and recommendations from our Threat Response Unit (TRU) to protect your business from this cyber threat.
www.esentire.com www.esentire.com
 
  • Like
  • +Reputation
Reactions: Trident, [correlate], vtqhtr413 and 3 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,148
Malicious Google Search ads for generative AI services like OpenAI ChatGPT and Midjourney are being used to direct users to sketchy websites as part of a BATLOADER campaign designed to deliver RedLine Stealer malware.

"Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord)," eSentire said in an analysis."This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps."
Click to expand...
thehackernews.com

Searching for AI Tools? Watch Out for Rogue Sites Distributing RedLine Malware

Hackers are using Google Search ads to trick AI tool seekers into downloading malware.
thehackernews.com thehackernews.com

www.esentire.com

FakeBat Impersonates Midjourney, ChatGPT in Drive-by Cyberattacks

Learn more about how threat actors are exploiting ChatGPT and Midjourney to deliver the FakeBat malware using Google Search Ads and get security recommendations from our Threat Response Unit (TRU) to protect your business from this cyber threat.
www.esentire.com www.esentire.com
 
  • Like
  • +Reputation
Reactions: Nevi, piquiteco, oldschool and 6 others
oldschool

oldschool

Level 82
Verified
Top Poster
Well-known
Mar 29, 2018
7,100
silversurfer said:
thehackernews.com

Searching for AI Tools? Watch Out for Rogue Sites Distributing RedLine Malware

Hackers are using Google Search ads to trick AI tool seekers into downloading malware.
thehackernews.com thehackernews.com

www.esentire.com

FakeBat Impersonates Midjourney, ChatGPT in Drive-by Cyberattacks

Learn more about how threat actors are exploiting ChatGPT and Midjourney to deliver the FakeBat malware using Google Search Ads and get security recommendations from our Threat Response Unit (TRU) to protect your business from this cyber threat.
www.esentire.com www.esentire.com
Click to expand...
This is definitely choice:
Once the installation is complete, the binary makes use of Microsoft Edge WebView2 to load chat.openai[.]com or www.midjourney[.]com – the legitimate ChatGPT and Midjourney URLs – in a pop-up window so as to not raise any red flags.
Click to expand...
At least Edge is good at something. :LOL::LOL::LOL:
 
  • Like
  • +Reputation
  • HaHa
Reactions: Nevi, upnorth, piquiteco and 2 others
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
    • +Reputation
    • Applause
Deep Instinct uncovers new JavaScript-based malware dropper
Replies
0
Views
1,070
News Archive
[correlate]
[correlate]
silversurfer
    • Like
    • +Reputation
DarkGate Operator Uses Skype, Teams Messages to Distribute Malware
Replies
0
Views
1,199
News Archive
silversurfer
silversurfer
silversurfer
    • +Reputation
    • Like
When LockBit Ransomware Fails, Attackers Deploy Brand-New '3AM' Ransomware
Replies
0
Views
1,221
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top