Google search results have become a hotbed of malicious ads pushing malware. Recently, threat actors have been discovered abusing Google Ads to distribute BatLoader malware. The campaign operators use software impersonation tactics for malware delivery and add two more payloads upon infection.
What happening?
According to cybersecurity firm eSentire, in this campaign, threat actors registered new websites impersonating various legitimate apps and brands including ChatGPT, Zoom, Spotify, AnyDesk, Microsoft Teams, Java, Tableau, and Adobe.
- These websites host and deliver malicious Windows installer files that contain custom action commands to execute an embedded batch file (InstallPython[.]bat or PythonFramework[.]bat) with admin privileges in a hidden window.
- The batch file unpacks two Python files protected using PyArmor.
- The files execute Python code which contains the BatLoader payload to retrieve the next-stage malware such as Vidar Stealer and Ursnif hosted on a remote server.
An evolving campaign
The campaign, which began in February, exhibited some changes in the malware variants over a short time span.
- The recent BatLoader samples lack the capabilities to establish entrenched access to enterprise networks, however, these were added in the latest variant.
- In the mid-February variant, the batch file contained a third Python file, obfuscated with PyArmor, that was embedded with an identical series of commands to handle payload retrieval, decryption, and execution.
- That Python file helps curate payloads for domain-joined systems with more than two IP neighbors in the system’s ARP table.
Experts suspect that BatLoader used Cobalt Strike in addition to the standard payloads such as Vidar Stealer and Ursnif.
Summing up
BatLoader is continuously improving itself with more convincing tricks such as the impersonation of popular business applications and propagation via Google ads. Lately, several other threats have been observed using the same impersonation tactics in recent times. Thus, organizations are suggested to educate employees on how to protect from malware masquerading as legitimate applications.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/44dc_shutterstock_352183106.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/ebe9_shutterstock_1395879926.jpg)
