The Batloader malware operators actively utilised numerous malicious operations globally last year. Researchers revealed that during the group’s campaign, it had adopted multiple attack strategies, including exploiting legitimate tools and malvertising techniques to spread malware.
A research group tracked an entire cluster of operations used by the malware operators under ‘Water Minyades’ that started in the second half of 2020.
Then, during last year’s final quarter, the threat actors were seen utilising the Batloader malware to deliver additional strains such as Raccoon Stealer, Bumbleloader, and Qakbot.
Reports noted that the actors spread these malware strains through social engineering methods.
Batloader impersonates legitimate software to propagate infection.
According to investigations, the Batloader malware spreads through malicious websites, mimicking legitimate apps such as AnyDesk, Audacity, CCleaner, and Blender. Subsequently, malvertisements attacks from the actors will redirect victims to the malicious websites.
The threat group relied excessively on defence evasion tactics, one of which is payloads being delivered with a colossal file size to avoid the sandbox analysis. In addition, the huge file size lessens the effectiveness of AV solutions.
Furthermore, the attackers used obfuscated JS files as an initial payload and utilised the PyArmor tool to hide the Batloader Python scripts. The actors abused the genuine kits to elevate their privileges on the infected device and decrypt malicious payloads.
The infiltration method utilised the MSI files’ legitimate digital signatures and abused flaws connected to Windows PE Authenticode signatures to operate malicious scripts attacked on signed DLLs.
Researchers explained that threat actors use modifiable scripts to bypass security detections on scanning software solutions that rely on structural signatures.
Experts stated that the Batloader payload is a highly evasive malware that could deploy several types of malware strains. Moreover, they believe that the Batloader operators will continue their campaigns in the following months since they have been targeting high-profile organisations.
Organisations should implement a more secure security approach and employ multilayered security protocols to mitigate the chances of getting infected by this malware.
