Figure 1: Fake Zoom Installer Figure 2: Fake AnyDesk installer The MSI installers are signed by “Kancelaria Adwokacka Adwokat Aleksandra Krzemińska” (Figures 1-2). The user navigates to the first advertisement displayed, which redirects the user to the website hosting the fake installer. The initial infection starts with the user searching for installers such as Zoom, TeamViewer, AnyDesk, or FileZilla. In September 2022, eSentire TRU observed multiple BatLoader infections in Consumer Services, Retail, Telecommunications, and Non-Profit client environments. eSentire TRU assesses with high confidence that BatLoader will remain active in the wild in 2023 and potentially serve as a first stage payload to deliver other malware.The last BatLoader campaign performs the antivirus checks and is capable of modifying Windows UAC prompt, disabling Windows Defender notifications, disabling Task Manager, disabling command prompt, preventing users from accessing Windows registry tools, disabling the Run command, and modifying the display timeout.The loader drops certain malware if certain conditions of the infected host are met (e.g., ARP table, domain check).BatLoader can evade most antivirus detections due to the size of the MSI installers.eSentire Threat Response Unit (TRU) observed two different BatLoader campaigns in 2022.BatLoader delivers additional malware and tools including ISFB, Vidar Stealer, Cobalt Strike, Syncro RMM, and SystemBC RAT via fake installers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |