"Researchers Sound Alarm on Dangerous BatLoader Malware Dropper"

A dangerous new malware loader called BatLoader, with features for determining whether it is on a business system or a personal computer, has begun rapidly infecting systems worldwide. VMware Carbon Black researchers are tracking the threat, finding that its operators are using the dropper to distribute various malware tools on victim systems, including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit. The threat actor's strategy has been to host the malware on compromised websites and use Search Engine Optimization (SEO) poisoning methods to lure users to those sites. BatLoader heavily relies on batch and PowerShell scripts to gain an initial foothold on a victim machine and download additional malware, thus making the campaign difficult to detect and block, particularly in its early stages. In the last 90 days, VMware's Carbon Black Managed Detection and Response (MDR) team observed 43 successful infections, in addition to numerous other unsuccessful attempts in which a victim downloaded the initial infection file but did not execute it. Nine of the victims were in the business services sector, seven were in the financial services sector, and five were in manufacturing. Organizations in the education, retail, information technology, and healthcare sectors were also victims. When BatLoader infects a personal computer, it installs Ursnif banking malware and the Vidar information stealer. If it reaches a domain-joined or corporate computer, it installs Cobalt Strike as well as the Syncro remote monitoring and management tool, in addition to the banking Trojan and information stealer. According to VMware Carbon Black, while several aspects of the BatLoader campaign are unique, several aspects of the attack chain are similar to the Conti ransomware operation. The overlaps include an IP address used by the Conti group in a campaign exploiting the Log4j vulnerability and the use of Atera, a remote management tool used by Conti in previous operations. This article continues to discuss the researchers' findings and observations regarding the BatLoader malware dropper.

Dark Reading reports "Researchers Sound Alarm on Dangerous BatLoader Malware Dropper"