Contributed by: Nandakumar KJ & Josh Lemon
Stealthy, initial access malware known as BatLoader uses malvertising techniques. Due to how it embeds itself within a computer system, it’s challenging to fully remove it. Additionally, it makes use of legitimate tools for elevating privilege, decryption, and running malicious scripts to deploy second-stage infostealer malware, (e.g., Arkei/Vidar, Ursnif, Cobalt Strike Beacon, Rhadamanthys).
This blog post includes a technical analysis of the BatLoader malware along with a description of how Uptycs MDR analysts identify and remediate it. In many cases, we have provided the SQL queries used in our investigation.
Technical analysis
BatLoader typically enters through malicious web pages that masquerade as trustworthy programs or software. Malvertising strategies and fake comments on forums having connections to BatLoader distribution locations can direct victims to these websites.
Uptycs recently observed where BatLoader initiated execution through an encoded PowerShell script. It used the WebClient.DownloadString method to retrieve the string from the URL to the local system.
Upon execution of the initial malicious PowerShell script, BatLoader executes additional PowerShell commands to add an exclusion to Windows Defender as part of a defense evasion technique.
The PowerShell script also downloads and executes additional executables; zkoko.exe.gpg, Nsudo.exe, and gpg4win-2.2.5.exe. These are placed in the $USERPROFILE$\AppData\Roaming directory.
Domains accessed by PowerShell to collect second stage malware – osquery, DNS to process mapping
select * from DNS_lookup_events Where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND pid =1548 AND upt_time between timestamp '2023-03-01 05:50:00' AND timestamp '2023-03-01 06:10:00'
Downloaded executables – Uptycs Real-Time Actions
The payload is decrypted using the gpg4win.exe binary, a common Windows email and file encryption package.
Nsudo.exe is a management tool to launch programs with elevated privileges. In this attack, it’s used to impair defense by hiding the window as the payload is being executed.
The infostealer malware, dropped by BatLoader, attempts to collect sensitive data from victims' systems via the Windows API. This includes information about system disk drives, disk types, BIOS, processor, computer name, and serial number.
Additionally, the malware crawls directories of installed browsers on a victim's machine as it attempts to collect information stores for the following: browsing histories, bookmarks, cookies, autofills, and login passwords. Once sensitive data is collected, it’s then relayed to the threat actor’s server. In the malware sample we observed, the command-and-control (C2) server (79.137.204.54) is associated with the Rhadamanthys malware family.
C2 server connection – contextual details in the Uptycs detection UI
UPTYCS MDR
The Uptycs detection engine includes built-in behavioral rules, YARA signatures, and threat intelligence data. Our skilled security analyst team constantly monitors detections and hunts for widespread and active threats in the environment.
From this BatLoader malware sample, we observed our victim system also being infected with Rhadamanthys. Along with YARA signature detections in memory discovering it, detection included behavioral rules from known actions that malware performs along with Uptycs threat intelligence matches.
Additionally, Uptycs EDR contextual detection provides important details about identified malware, mapped behavior in the ATT&CK Matrix (left pane, below), and a detection graph that shows process ancestry. Users can navigate to the toolkit data section in the detection, then click on the name to learn more.
Rhadamanthys detection
Built atop osquery, the Uptycs agent has the ability to collect vast, high-quality telemetry from endpoints, cloud resources, and Kubernetes systems. You can see the telemetry data in the available osquery tables (e.g., Process_events, PowerShell_events, scheduled_tasks). You can view the open-source schema here, to which Uptycs has added a significant number of additional tables.
Using Uptycs Investigate feature, we were able to further investigate malicious activity by running SQL queries against the osquery tables containing data collected from the endpoint where we executed the malware.
Searching process_events for finding activity of suspicious user
select * from process_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND login_name = 'Administrator' AND upt_time between timestamp '2023-03-01 05:45:00' AND timestamp '2023-03-01 06:10:00'
Searching socket_events to find executables that connect to the C2 server
select * from socket_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND upt_day =20230301 AND remote_address ='79.137.204.54'
Searching api_events to find the api calls used by zokoko.exe
select * from api_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' and cmdline like '%powershell.exe -command C:\Users\Administrator\AppData\Roaming\zkoko.exe%'
The Uptycs Managed Detection and Response (MDR) team responds to threats by using the Uptycs Protect remediation and blocking feature. It lets you kill, delete, pause, and scan the binary using YARA rules, or collect the file for additional analysis based on the detection graph for detected malicious activity (below). Additionally, we have the ability to manage users, run scripts on the host machine, quarantine the machine, or investigate the malicious process further.
Uptycs Protect – detection graph
Monitoring all potential threats in an environment is essential, especially those that abuse legitimate tools to obfuscate their presence like the BatLoader malware. The Uptycs MDR team makes this possible by detecting and taking action in response to threats in our customers environment.
Indicators of compromise (IOCs)
File name
|
Md5 hash
|
zkoko.exe.gpg
|
199b1499566ddc2e86e3ea3e4db7f3ff
|
Nsudo.exe
|
5cae01aea8ed390ce9bec17b6c1237e4
|
gpg4win-2.2.5.exe
|
67a4f35cae2896e3922f6f4ab5966e2b
|
zkoko.exe
|
3f82d9d43d56e56d523b2457bf6fa839
|
Domain/URL/IP Address
job-lionserver.site
|
job-lionserver.ru
|
81.177.165.87
|
185.199.111.133
|
79.137.204.54
|
Malware Samples
https://www.virustotal.com/gui/file/43894c287c3ebccd30cd761dd4826518073773180ae0ab28355d604b44071441