Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label BatLoader. Show all posts

Understand BatLoader Malware and its Working


The BatLoader follows the common practice that all cybercriminals use to target victims and get maximum output. They prefer to target large organizations, companies, or firms instead of targeting individuals, as the profit of payoff from these firm attacks is huge than targeting potential individuals.

The researchers at VMware Carbon Black stated in their research that the operators of BatLoader are using a dropper to spread a variety of malware tools, along with a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on the target’s system. 

The researchers at VMware also stated that “the threat actors utilize search engine optimization (SEO) poisoning to lure users to downloading the malware from compromised websites.” 

The research highlighted the similarity of BatLoader with Conti ransomware. The team at VMware found that some attributes in BatLoader's attack chain were similar to past incidents in Conti ransomware. 

Mandiant, a subsidiary of Google, has also pointed out the similarities in the techniques employed by BatLoader and Conti. However, the team at VMware clearly stated that there is no link to Conti in the origin of the BatLoader. 

The carbon Black MDR team of VMware has disclosed that there have been 43 successful attacks by BatLoader in the past 90 days. There were some unsuccessful cases also in which the threat operators successfully delivered the initial harm, but the victim did not use it, nullifying the harm. In a further report, the team mentioned the number of affected organizations and their sectors. They targeted five companies in the manufacturing industry, seven in financial services, and nine in business services. There were numerous cases of attempts in the education, IT, healthcare, and retail sector. 

BatLoader’s process of infecting the target’s system 

The process of infecting the target’s system by BatLoader includes incorporation inside Windows MSI installers for software like TeamViewer, LogMeIn, and Anydesk. 

After that, the criminals purchase the adverts to direct the victims to the replica websites like logmein-cloud.com. These purchased adverts pop up on the top of the page where users search for that software like Zoom, Anydesk, etc. 

Later, when the victims follow the adverts, download the software, and execute it, their system gets opened up for the threat actors. 

BatLoader has advanced capabilities, especially for harming businesses, as it is half-automated. It is controlled by a person or group of people in place of additional code. BatLoader operates by the “Living off the land” command to distribute more malware. 

“Living off the Land” attack denotes if the malicious actors have complete control of your system, they can utilize the pre-existing software like Windows PowerShell and scripting tools in your system to administer the system by directing commands without installing any other malware. 

The researchers concluded BatLoader is more dangerous because, after the installation and execution of links that include BatLoader, it will also download and install the banking malware and information. Along with it, the BatLoader can find if it has other linked networks, and it will install remote monitoring and management malware to target all connected systems. 

Even after updates in technology in cyber security, BatLoader and similar threats pose a clear need for more tools and knowledge to detect the source and block the spread of such threats. Considering the regular emergence of new threat vectors, the dynamic of threats is changing, and the demand for updated ways of fighting against these cyberattacks, opting for an online course for gaining cybersecurity knowledge is also an innovative decision to decrease the chances of facing losses due to cyber-attacks.