April 16, 2024

Mar 11, 2023Ravie LakshmananCyber Risk Intelligence


The malware downloader often called BATLOADER has been noticed abusing Google Advertisements to ship secondary payloads like Vidar Stealer and Ursnif.

In keeping with cybersecurity firm eSentire, malicious adverts are used to spoof a variety of professional apps and companies resembling Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.

BATLOADER, because the title suggests, is a loader that is chargeable for distributing next-stage malware resembling data stealers, banking malware, Cobalt Strike, and even ransomware.

One of many key traits of the BATLOADER operations is the usage of software program impersonation techniques for malware supply.

That is achieved by establishing lookalike web sites that host Home windows installer information masquerading as professional apps to set off the an infection sequence when a consumer looking for the software program clicks a rogue advert on the Google search outcomes web page.

Vidar Stealer and Ursnif Payloads

These MSI installer information, when launched, execute Python scripts that comprise the BATLOADER payload to retrieve the next-stage malware from a distant server.

This modus operandi marks a slight shift from the earlier attack chains noticed in December 2022, when the MSI installer packages have been used to run PowerShell scripts to obtain the stealer malware.


Uncover the Hidden Risks of Third-Celebration SaaS Apps

Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be a part of our webinar to study in regards to the forms of permissions being granted and methods to reduce threat.


Different BATLOADER samples analyzed by eSentire have additionally revealed added capabilities that enable the malware to determine entrenched entry to enterprise networks.

“BATLOADER continues to see modifications and enchancment because it first emerged in 2022,” eSentire mentioned.

“BATLOADER targets numerous standard purposes for impersonation. That is no accident, as these purposes are generally present in enterprise networks and thus, they’d yield extra useful footholds for monetization through fraud or hands-on-keyboard intrusions.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.