www.trendmicro.com
Open in
urlscan Pro
23.220.128.204
Public Scan
URL:
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
Submission: On January 16 via api from DE — Scanned from CA
Submission: On January 16 via api from DE — Scanned from CA
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* Operationalizing Zero Trust
* Operationalizing Zero Trust
Understand your attack surface, assess your risk in real time, and
adjust policies across network, workloads, and devices from a single
console
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with easy-to-use solutions designed for your growing
business
Learn more
* Platform
* Vision One Platform
* Vision One Platform
* Trend Vision One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* AI Companion
* Trend Vision One Companion
Your generative AI cybersecurity assistant
Learn more
* Attack Surface Management
* Attack Surface Management
Stop breaches before they happen
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context to
hunt, detect, investigate, and respond to threats from a single platform
Learn more
* Cloud Security
* Cloud Security
* Trend Vision One™
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Attack Surface Risk Management for Cloud
* Attack Surface Risk Management for Cloud
Cloud asset discovery, vulnerability prioritization, Cloud Security
Posture Management, and Attack Surface Management all in one
Learn more
* XDR for Cloud
* XDR for Cloud
Extend visibility to the cloud and streamline SOC investigations
Learn more
* Workload Security
* Workload Security
Secure your data center, cloud, and containers without compromising
performance by leveraging a cloud security platform with CNAPP
capabilities
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Security
* File Security
Protect application workflow and cloud storage against advanced threats
Learn more
* Endpoint Security
* Endpoint Security
* Endpoint Security Overview
Defend the endpoint through every stage of an attack
Learn more
* XDR for Endpoint
* XDR for Endpoint
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Workload Security
* Workload Security
Optimized prevention, detection, and response for endpoints, servers,
and cloud workloads
Learn more
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious
applications, and other mobile threats
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* XDR for Network
* XDR for Network
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* 5G Network Security
* 5G Network Security
Learn more
* Industrial Network Security
* Industrial Network Security
Learn more
* Email Security
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Email and Collaboration Security
* Trend Vision One™
Email and Collaboration Security
Stop phishing, ransomware, and targeted attacks on any email service
including Microsoft 365 and Google Workspace
Learn more
* OT Security
* OT Security
* OT Security
Learn about solutions for ICS / OT security.
Learn more
* XDR for OT
* XDR for OT
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Industrial Network Security
* Industrial Network Security
Industrial Network Security
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Threat Insights
* Threat Insights
See threats coming from miles away
Learn more
* Identity Security
* Identity Security
End-to-end identity security from identity posture management to
detection and response
Learn more
* On-Premises Data Sovereignty
* On-Premises Data Sovereignty
Prevent, detect, respond and protect without compromising data
sovereignty
Learn more
* All Products, Services, and Trials
* All Products, Services, and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Incident Response
* Incident Response
* Incident Response
Our trusted experts are on call whether you're experiencing a breach
or looking to proactively improve your IR plans
Learn more
* Insurance Carriers and Law Firms
* Insurance Carriers and Law Firms
Stop breaches with the best response and detection technology on the
market and reduce clients’ downtime and claim costs
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Partner Program
* Partner Program
* Partner Program Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Partner Competencies
* Partner Competencies
Stand out to customers with competency endorsements that showcase your
expertise
Learn more
* Partner Successes
* Partner Successes
Learn more
* Managed Security Service Provider
* Managed Security Service Provider
Deliver modern security operations services with our industry-leading
XDR
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Partners
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Find Alliance Partners
* Find Alliance Partners
Learn more
* Partner Resources
* Partner Resources
* Partner Resources
Discover resources designed to accelerate your business’s growth and
enhance your capabilities as a Trend Micro partner
Learn more
* Partner Portal Login
* Partner Portal Login
Login
* Trend Campus
* Trend Campus
Accelerate your learning with Trend Campus, an easy-to-use education
platform that offers personalized technical guidance
Learn more
* Co-Selling
* Co-Selling
Access collaborative services designed to help you showcase the value
of Trend Vision One™ and grow your business
Learn more
* Become a Partner
* Become a Partner
Learn more
* Distributors
* Distributors
Learn more
* Find Partners
* Find Partners
Locate a partner from whom you can purchase Trend Micro solutions
Learn more
* Company
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* Compare Trend Micro
* Compare Trend Micro
* Compare Trend Micro
See how Trend outperforms the competition
Let's go
* vs. Crowdstrike
* Trend Micro vs. Crowdstrike
Crowdstrike provides effective cybersecurity through its cloud-native
platform, but its pricing may stretch budgets, especially for
organizations seeking cost-effective scalability through a true single
platform
Let's go
* vs. Microsoft
* Trend Micro vs. Microsoft
Microsoft offers a foundational layer of protection, yet it often
requires supplemental solutions to fully address customers' security
problems
Let's go
* vs. Palo Alto Networks
* Trend Micro vs. Palo Alto Networks
Palo Alto Networks delivers advanced cybersecurity solutions, but
navigating its comprehensive suite can be complex and unlocking all
capabilities requires significant investment
Let's go
* About Us
* About Us
* About Us
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Investors
* Investors
Learn more
* Formula E Racing
* Formula E Racing
Learn more
* Connect With Us
* Connect With Us
* Connect With Us
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
keyboard_arrow_leftBack
OUR PLATFORM
* OVERVIEW
The only full lifecycle cyber risk managment platform
* XDR (EXTENDED DETECTION AND RESPONSE)
Attackers have nowhere left to hide
* ATTACK SURFACE RISK MANAGEMENT
Stop breaches before they happen. Attack surface and exposure management done
right.
* THREAT INSIGHTS
See threats coming from miles away
* ARTIFICIAL INTELLIGENCE
Confidently harness AI
SECURITY LAYERS
* ENDPOINT SECURITY
Defend the endpoint through every stage of an attack
* EMAIL SECURITY
Stop phishing, ransomware, and BEC attacks from infiltrating your enterprise
* NETWORK SECURITY
Defend beyond boundaries with XDR-powered network security
* CLOUD SECURITY
Go beyond CNAPP to gain comprehensive visibility, prioritize risk, and
automate response across hybrid and multi-cloud environments
* OT SECURITY
Learn about solutions for ICS/OT security
* IDENTITY SECURITY
End-to-end identity security from identity posture management to detection
and response
ADDITIONAL PLATFORM SUPPORT
* SERVICES
Augment security teams with 24/7/365 managed detection, response and support
* FOR GOVERNMENT
Comprehensive security solutions for federal agencies
* ON-PREMISES DATA SOVEREIGNTY
Prevent, detect, respond and protect without compromising data sovereignty
See all products and services arrow_right_alt
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
3 Alerts
Back
Unread
All
* AI Pulse: Reflecting on 2024’s defining AI trends
close
Read more >
* Redefining Defense: Mapping container security to MITRE ATT&CK
close
Learn more >
* How the English cybercriminal underground is evolving amid new tech and
increased scrutiny
close
Read report >
Folio (0)
Support
* Business Support Portal
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* AI Security
* Trend Micro vs. Competition
* Cyber Risk Assessments
* What Is?
* Threat Encyclopedia
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Vision One
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affiliate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
Malware
BATLOADER MALWARE ABUSES LEGITIMATE TOOLS, USES OBFUSCATED JAVASCRIPT FILES IN
Q4 2022 ATTACKS
We discuss the Batloader malware campaigns we observed in the last quarter of
2022, including our analysis of Water Minyades-related events (This is the
intrusion set we track behind the creation of Batloader).
By: Junestherry Dela Cruz January 17, 2023 Read time: 10 min (2728 words)
Save to Folio
--------------------------------------------------------------------------------
We discuss the Batloader malware campaigns we observed in the last quarter of
2022, including our analysis of Water Minyades-related events (This is the
intrusion set we track behind the creation of Batloader).
Batloader (detected by Trend Micro as Trojan.Win32.BATLOADER), is an initial
access malware family that is known for using malvertising techniques and using
script-based malware inside Microsoft Software Installation (MSI) packages
downloaded from legitimate-looking-yet-malicious websites. Earlier this year,
Mandiant researchers observed Batloader using search engine optimization (SEO)
poisoning techniques in its attacks.
Batloader is associated with an intrusion set that we have dubbed “Water
Minyades.” The actors behind Water Minyades are known for delivering other
malware during the last quarter of 2022, such as Qakbot, RaccoonStealer, and
Bumbleloader via social engineering techniques.
In this blog entry, we discuss notable Batloader campaigns that we’ve observed
in the last quarter of 2022, including the abuse of custom action scripts from
the Advanced Installer software and Windows Installer XML (WiX) toolset, the use
of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor
tool to obfuscate Batloader Python scripts. We also shed light on noteworthy
Water Minyades-related events and give a detailed look at Batloader’s technical
details.
BATLOADER’S CAPABILITIES
The table below summarizes the capabilities of Batloader:
Capability Description Anti-sandbox Batloader is usually inflated to a very
large size by being bundled to a legitimate installer file. This can prevent
sandboxes with file size limits from properly detonating and observing the
behavior of the file. Fingerprints host Batloader fingerprints the host to
determine if it is a legitimate victim. It checks for environment artifacts such
as the user, computer name, and if it is domain-joined. Communicates with C&C
Batloader is a modular malware that communicates with its C&C server and has
been observed to drop malware according to the specifications of the victim host
it has infected. If the victim host belongs to an enterprise environment, it is
more likely to drop remote management tool Atera and Cobalt Strike beacon, which
would then lead to ransomware deployment. Stops security software services
Batloader executes open-sourced scripts that attempt to stop services related to
security software, such as Windows Defender. Escalates privileges Batloader
abuses legitimate tools like NirCmd.exe and Nsudo.exe to escalate privileges.
Evades antivirus (AV) solutions Batloader uses different techniques to attempt
evading antivirus solutions, such as hyperinflating MSI file sizes for antivirus
engines that have file size limits, using noticeably short modular scripts that
can be hard to structurally detect, acquiring legitimate digital signatures for
the MSI files, obfuscating scripts connecting to the Batloader command and
control (C&C) servers, and abusing legitimate file sharing services to host
malware payloads. Installs other components Batloader uses a modular approach
wherein the first-stage payload of the campaign is usually an MSI file bundled
with custom action scripts. The other components of the campaign, including the
legitimate tools it will download to escalate its privileges and download other
malware, will be downloaded by these scripts. Installs additional malware
Batloader has been observed to drop several malware payloads, such as Ursnif,
Vidar, Bumbleloader, RedLine Stealer, ZLoader, Cobalt Strike, and SmokeLoader.
It can also drop legitimate remote management tools, such as Syncro and Atera.
We have also seen Batloader being a key enabler for Royal ransomware, the
second-most prevalent ransomware family we have been observing recently.
Table 1. Batloader's capabilities
EXAMINING THE WATER MINYADES INTRUSION SET
Water Minyades is known for heavily relying on defense evasion techniques, one
of which is deploying payloads with very large file sizes to evade sandbox
analysis and antivirus engines’ file size limits. Water Minyades also abuses
legitimate tools, such as system management tool NSudo and email and file
encryption tool Gpg4win, to elevate privileges and decrypt malicious payloads.
This intrusion set also abuses MSI files’ legitimate digital signatures,
exploits vulnerabilities related to Windows’ PE Authenticode signatures to
execute malicious scripts that have been appended to signed DLLs (dynamic-link
libraries) and uses scripts that can be easily modified to evade scanning
engines that rely on structural signature detection techniques.
Using Trend Micro™ Smart Protection Network™ (SPN) feedback data, we determined
that Batloader attacks are mostly deployed in the United States, Canada,
Germany, Japan, and the United Kingdom.
Country Percentage of Attacks United States 61 Canada 8 Germany 8 Japan 4
United Kingdom 3 Australia 2 Brazil 2 Netherlands 2 Poland 1 Singapore 1 Others
8
Table 2. Distribution of Batloader attacks in Q4 2022
After tracking the activities related to Water Minyades and back tracking since
early 2020, we were able to determine several noteworthy events in this
timeline:
Period Water Minyades attack details H2 2020 An open-source intelligence
report indicates that this was when the intrusion set became active. During this
time, the group’s most dropped payload was the Smokeloader malware, and it also
heavily used exploit kits such as Rig and Fallout. Oct. 2020 The group behind
the intrusion set stopped using exploit kits in favor of social engineering
schemes, which meant that targets were no longer limited to Internet Explorer
users. They posted malicious advertisements on porn websites to lure victims
into downloading a fake Java MSI, which then led to the deployment of Zloader
payloads. Feb. 2022 The group behind Water Minyades distributed Batloader using
SEO poisoning techniques to trick victims into downloading legitimate software
and applications that were trojanized with malware script. During this time,
Batloader dropped Zloader and legitimate remote-management tool Atera to
enterprise victim machines. Batloader was also observed using the PE (portable
executable) polyglotting technique, which is the process of executing signed DLL
files with appended malicious scripts. Sep. 2022 Initial Batloader infections
were observed to have led to Cobalt Strike deployments and Royal ransomware
infections. Oct. 2022 Water Minyades actors abused Google Ads and the legitimate
Keitaro Traffic Direction System (TDS) to redirect victims into downloading
Batloader malware. Dec. 2022 Water Minyades actors used JavaScript instead of
MSI files as a first-stage payload. The group eventually obfuscated the
downloader of the JavaScript files.
Table 3. Water Minyades’ noteworthy events from 2020 to 2022
A TECHNICAL ANALYSIS OF BATLOADER
Batloader usually arrives via malicious websites that impersonate legitimate
software or applications. Victims can be redirected to these websites via
malvertising techniques and fake comments on forums containing links that lead
to Batloader distribution websites.
Based on our investigation, we determined that Batloader impersonates a slew of
legitimate software and application websites in its campaign:
* Adobe
* AnyDesk
* Audacity
* Blender
* CCleaner
* FileZilla
* Fortinet
* Foxit
* GetNotes
* Google Editor
* Grammarly
* Java
* KMSAuto
* LogmeIn
* Luminar
* Minersoft
* Putty
* Schwab
* Slack
* TeamViewer
* TradingView
* uTorrent
* WinRAR
* Zoho
* Zoom
Figure 1. Examples of malicious websites that distribute Batloader
When victims select the “Install” or “Download” option, the Batloader package
will be downloaded to the system via a .ZIP file.
Figure 2. The Batloader package
Figure 3. Typical Batloader kill chain
The stages below are typical Water Minyades techniques, tactics, and procedures
(TTPs) but may vary slightly over time.
Stage Stage No. Description Arrival 1 Water Minyades actors create malicious
advertisements that abuse legitimate services such as Google Ads and Keitaro
TDS. These malicious advertisements lead victims to malicious websites that aim
to resemble the legitimate websites of popular software and applications.
Infection 2 Victims are lured into installing a malicious file from the fake
website. Based on recent Water Minyades activities, this can take the form of an
MSI, VHD (Virtual Hard Disk), VHDX (Virtual Hard Disk v2), or a JavaScript file.
3 Earlier campaigns that used MSI files were observed to drop PE polyglot
binaries containing malicious appended scripts. These scripts can be executed by
MSHTA.exe due to a vulnerability in the PE Authenticode verification process.
The MSI and VHD files usually contain a custom action script that is designed to
connect to Batloader’s C&C server to download the next-stage payload. 4 Water
Minyades’ C&C server will decide which payload to drop. Post-infection
5
Batloader can install different malware families, such as:
*
* Bumble Loader
* Cobalt Strike
* Qakbot
* Raccoon Stealer
* RedLine Stealer
* Smoke Loader
* System BC
* Ursnif (Bot)
* Vidar (Stealer)
* ZLoader
Based on our observations, these malware families’ payloads are typically
hyperinflated in size and are encrypted. Batloader can also install the
following legitimate applications to aid with other stages of the kill chain,
such as privilege escalation and defense evasion:
* Nsudo – Is abused to run processes with elevated privileges
* Gpg4win – Is abused to decrypt next-stage payloads downloaded by Batloader.
* NirCmd – Is a command-line utility tool
* PowerShell – Is abused to run malicious PowerShell scripts
* MsiExec.exe – Is abused to run MSI files with malicious custom action scripts
* Mshta.exe – Is abused to execute malicious code appended to PE files
Batloader also abuses legitimate remote admin tools, such as Syncro and Atera,
to facilitate ransomware deployment. 6 Second-stage malware like Ursnif, Cobalt
Strike Beacon, and Bumblebee usually connect to their own C&C server to execute
follow-on activities. 7 Follow-on activities can include the deployment of
ransomware families such as Royal.
Table 4. Water Minyades attack stages
BATLOADER’S NOTABLE Q4 CAMPAIGNS
In this section, we identify the different campaigns’ techniques observed. We
see from the campaigns above that although the Batloader malware is
predominantly script-based, this intrusion set continuously finds ways to evade
detection and improve its antianalysis techniques by utilizing legitimate tools
to hide and obfuscate their scripts.
Abuse of custom action scripts of the Advanced Installer software
We have observed that some Batloader MSI packages were used to abuse a
legitimate installer file via a custom action PowerShell script. Potentially,
this was carried out by abusing the Advanced Installer software 30-day free
trial application form.
Figure 4. Advanced Installer’s 30-day free trial form abused by Water Minyades
actors
Figure 5. An example of an MSI file with a custom action PowerShell script
viewed using the Pe Studio tool
In Figure 6, we can see that the Batloader script was launched via the
“PowerShellScriptLauncher.dll” file that was created using the Advanced
Installer software.
Figure 6. Batloader script launched via “PowerShellScriptLauncher.dll”
Figure 7. Batloader kill chain using compromised MSI package
From our tracking, this technique was used in a number of campaigns between
September 2022 and December 2022.
Figure 8. Batloader C&C server activities abusing Advanced Installer software.
Data taken from Trend Micro SPN.
Abuse of Windows Installer XML Toolset
Another tool that was recently abused by Water Minyades actors was the WiX
toolset.
Figure 9. An example of an MSI file created using the WiX toolset viewed using
the PE Studio tool
Using this toolset, malicious actors can insert a custom action script and
identify when it will be executed. In Figure 10, we can see that the custom
action "checkforupdate.bat" will be executed, which will also drop and execute
additional malicious scripts inside the “update.zip” file.
Figure 10. A custom action created using the WiX toolset
Figure 11. Snippet of code from checkforupdate.bat’s follow-on activities
We also observed a significant number of campaigns using this technique during
the month of November 2022.
Figure 12. Batloader C&C server activities abusing Windows Installer XML
Toolset. Data taken from Trend Micro SPN.
Use of JavaScript files instead of MSI files in campaigns
Starting November 27, 2022, we observed that Water Minyades actors switched to
using JavaScript files instead of MSI files as the initial Batloader payload.
This technique uses small-sized JavaScript files that have straightforward
commands, ones that are also used for non-malicious purposes. This is in direct
contrast to the technique used with MSI files, wherein MSI file sizes are
hyperinflated to evade scanning engines with file size limitations.
From a detection point of view, this can also pose as a challenge because the
only malicious parts of the file are the C&C URLs themselves, since a
structure-based detection algorithm can also detect non-malicious JavaScript
files.
Figure 13. Contents of a Batloader JavaScript file named “InstallerV61.js”
This highlights the need for a multilayered security solution, one that can
successfully detect malicious artifacts related to Batloader campaigns.
After a few days of analyzing this Batloader campaign, we have observed that the
malicious actors behind it have obfuscated the JavaScript files as an additional
detection evasion measure.
Figure 14. An obfuscated Batloader JavaScript file
Figure 15. A typical execution chain for the JavaScript Batloader campaign
Based on the distribution domains used in this campaign, we believe that this
campaign was launched during Black Friday:
* logmeinofferblackfriday[.]com
* anydeskofferblackfriday[.]com
* zoomofferblackfriday[.]com
* slackcloudservices[.]com
* anydeskofferblackfriday[.]com
According to our telemetry, a significant number of campaigns used this
technique between the end of November to the first week of December 2022.
Figure 16. Batloader C&C server activities abusing JavaScript downloaders. Data
taken from Trend Micro SPN.
Use of PyArmor tool to obfuscate Batloader Python script
After the JavaScript campaigns of Batloader, we observed since the second week
of December 2022 that the group abused the Advanced Installer Software again.
This time the malicious file that it executed in the end is a Python script
protected with PyArmor.
We found a sample MSI file (SHA256:
2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331), which is a
trojanized Chat Mapper installer masquerading as an Anydesk.msi installer. This
installer was created using Advanced Installer application, and one of its
customized actions is to execute a file called “viewer.exe” with the command
line “#InstallPython.bat”.
Figure 17. Custom Action script of the latest Batloader campaign observed in Q4
2022
The file InstallPython.bat will install Python 3.9.9, copy and extract the
openssl.zip archive, and run the PyArmor encrypted Python script named main4.py.
Figure 18. InstallPython.bat
PyArmor is a free-with-restrictions command line tool that can be used to
obfuscate Python scripts. The obfuscated Python file in this case is named
main4.py:
Figure 19. Batloader PyArmor-protected Python script
Deobfuscating this script using the techniques identified by PyArmor Unpacker,
we see that this script connects to the Batloader C&C
updateclientssoftware[.]com. We’ve observed this Batloader C&C server active
from the second week of December until the second week of January 2023. We are
continuously monitoring this campaign for any additional activities.
Figure 20. Connecting to the Batloader C&C
Batloader’s C&C Activities in Q4 2022
We started observing an increase in Water Minyades activity in September 2022,
which was also the time when we started seeing Batloader deploying Royal
ransomware to its victims. The number of attacks peaked from November until the
first week of December 2022.
Figure 21. Batloader requests to C&C domain from October to December 2022. Data
taken from Trend Micro SPN.
Figure 22. Most requested Batloader C&C domains from October to December 2022.
Data taken from Trend Micro SPN.
The C&C domain with the most number of requests for Q4 2022 is
“installationupgrade6[.]com.” Interestingly, this was the first C&C domain used
in the Batloader campaign via JavaScript droppers and Black Friday Sale-related
malicious distribution websites.
This could mean that victims are more likely to fall for malvertising campaigns
that promote sales or discounts. This highlights the massive impact social
engineering lures have on the success of these malicious campaigns.
CONCLUSION
Based on our investigation, Batloader is a highly evasive and evolutionary
malware family capable of deploying different types of malware, including
loaders, bots, and ransomware. Batloader tricks victims by using different
malvertising and social engineering techniques to distribute malicious payloads.
Batloader is a prime example of a modern malware and a modular threat, and
protecting systems against it requires not just one defensive strategy, but a
robust and multilayered solution that provides shared visibility from a central
place. Trend Micro Vision One™ is a technology that can provide powerful XDR
capabilities that collect and automatically correlate data across multiple
security layers — from email and endpoints to servers, cloud workloads, and
networks. Trend Vision One can prevent attacks via automated protection, while
also ensuring that no significant incidents go unnoticed.
INDICATORS OF COMPROMISE (IOCS)
URLs
105105105015[.]com Batloader C&C server
24xpixeladvertising[.]com Batloader C&C server
clodtechnology[.]com Batloader C&C server
cloudupdatesss[.]com Batloader C&C server
externalchecksso[.]com Batloader C&C server
grammarlycheck2[.]com Batloader C&C server
installationsoftware1[.]com Batloader C&C server
installationupgrade6[.]com Batloader C&C server
internalcheckssso[.]com Batloader C&C server
t1pixel[.]com Batloader C&C server
updatea1[.]com Batloader C&C server
updateclientssoftware[.]com Batloader C&C server
updatecloudservice1[.]com Batloader C&C server
SHA256 Description Detection
23373654d02cb7eace932609826cca4f82fcac67ca44b9328baba385acc00c67 - Component of
2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331 Batloader File
Trojan.BAT.BATLOADER.A
f8f3f22425ea72fafba5453c70c299367bd144c95e61b348d1e6dda0c469e219 - Component of
2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331 Batloader File
Trojan.Python.BATLOADER.A
61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc Batloader File
Trojan.JS.BATLOADER.SMYXCLAZ
91730741d72584f96ccba99ac9387e09b17be6d64728673871858ea917543c1e Batloader File
Trojan.JS.BATLOADER.SMYXCLAZ
aef18b7ab1710aaeb0d060127750ba9d17413035309ec74213d538fb1b1bdf79 Batloader File
Trojan.JS.BATLOADER.SMYXCLAZ
e7735cb541e7afd50759eae860b7d1a43d627fbf5cd96d016241084e91659817 Batloader File
Trojan.JS.BATLOADER.SMYXCLAZ
23a5981d086242349f6e3476eff11ea3244cebef3d65c76c7bc74470c1ec4b49 Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
3707ad9d9ea318757883ede9691e5c4e8d778c839a056f8b4a94ed47a76da2c8 Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
86f6af51d30159f4d2e00ed733a88dc05cc5dd846b1b2d1ba30582f6e33ac998 Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
b28047cda1c688c844f676e94770c08cf570f4d65fa4c5e4454ae449c2439e3f Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
e1dcc098a6585dbbf4df64f09f8e8508e218485e1958fe6fe04b91547e109a83 Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
e528cb5e7a2d04269d955ce771b7326bae929355807039f49106126b1a5ff227 Batloader File
Trojan.Win32.FRS.VSNW1DK22/Trojan.PS1.BATLOADER.SMYXCK3Z
fcbfbc2ae4ed3e51631ecb3184004d96f0a6fd5e9de55400dedfa6b5cafc7c41 Batloader File
Trojan.Win32.FRS.VSNW1DK22/Trojan.PS1.BATLOADER.SMYXCK3Z
Tags
Malware | Endpoints | Research | Articles, News, Reports
AUTHORS
* Junestherry Dela Cruz
Threats Analyst
Contact Us
RELATED ARTICLES
* Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR
* How Cracks and Installers Bring Malware to Your Device
* Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit
See all articles
RESOURCES
* Blog
* Newsroom
* Threat Reports
* Find a Partner
*
*
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
COUNTRY HEADQUARTERS
* Trend Micro - United States (US)
* 225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
* Phone:: +1 (817) 569-8900
*
*
*
*
*
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Experience our unified platform for free
* Claim your 30-day trial
* Privacy
* Legal
* Accessibility
* Terms of Use
* Sitemap
Copyright ©2025 Trend Micro Incorporated. All rights reserved.
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
✓
Thanks for sharing!
AddToAny
More…
BDOW!
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1