HQ/EMEAFind out how we can help your business
A recent campaign showed that the threat actors abused Google ads to spread the BatLoader malware. Google search results became a trending spot for malicious actors to propagate and spread their malware strains and infect targets.
Based on reports, the campaign operators used software impersonation tactics to deliver malware and include a couple more payloads upon successful infection. The threat actors in this campaign registered new websites that impersonate various legitimate applications and brands.
The confirmed apps spoofed by the new campaign are Zoom, Adobe, Java, MS Teams, ChatGPT, Spotify, AnyDesk, and Tableau. These impersonated websites host and deploy malicious Windows installer archives that contain several custom action commands to run a batch file with admin privileges in a hidden window.
Subsequently, the batch file unloads some Python files equipped with protection, such as PyArmor. The files then run Python code that contains the BatLoader payload to retrieve the commands and deploy additional malware strains, such as Ursnif and Vidar Stealer, on a remote server.
Researchers noticed some changes in the BatLoader malware.
The BatLoader malware campaign started last month, but researchers have noticed some alterations in its variants over a short period.
The last malware samples showed that it does not have the capabilities to establish prolonged access to enterprise networks. However, the latest variant now includes persistence-acquiring abilities.
Furthermore, the mid-February variant’s batch file includes a third Python file, hidden with PyArmor, attached with similar instructions to handle payload recovery, decryption, and execution.
This Python archive aids its operators in curating payloads for domain-joined systems with more than a couple of IP neighbours in the system’s ARP table. Researchers believe the BatLoader campaign included Cobalt Strike to the standard payloads such as Ursnif and Vidar Stealer.
Cybersecurity experts suspect the malware continuously upgrades itself with more competent impersonation tactics to deceive its targets. In addition, several other threat groups used similar impersonation mechanics in their recent campaigns.
Organisations should train their employees to spot spoofed websites to thwart the recent threats of impersonated malware and applications.
