Zoom For You — website positioning Poisoning to Distribute BATLOADER and Atera Agent

Whereas defending our prospects in opposition to threats, Mandiant Managed Protection continues to see new threats that abuse belief in respectable instruments and merchandise to hold out their assaults. These assaults are efficient in getting previous safety defenses and staying undetected in a community.

By way of proactive menace looking, our Managed Protection frontline staff uncovered a marketing campaign that used search engine marketing (website positioning) poisoning to steer victims to obtain the BATLOADER malware for the preliminary compromise. We additionally noticed a artful protection evasion approach utilizing mshta.exe, a Home windows-native utility designed to execute Microsoft HTML Software (HTA) recordsdata.

website positioning poisoning is an assault methodology wherein menace actors create malicious web sites full of key phrases and use search engine marketing strategies to make them present up prominently in search outcomes.

An infection Chain

The menace actor used “free productiveness apps set up” or “free software program improvement instruments set up” themes as website positioning key phrases to lure victims to a compromised web site and to obtain a malicious installer. The installer comprises respectable software program bundled with the BATLOADER malware. The BATLOADER malware is dropped and executed through the software program set up course of.

This preliminary BATLOADER compromise was the start of a multi-stage an infection chain that gives the attackers with a foothold contained in the goal group. Each stage was ready for the following section of the assault chain. And bonafide instruments corresponding to  PowerShell, Msiexec.exe, and Mshta.exe permit proxy execution of malicious payloads to keep away from detection.

CVE-2020-1599 Patch Bypass

One notable pattern discovered within the assault chain was a file named, “AppResolver.dll”. This DLL pattern is an inside element of the Microsoft Home windows Working System developed by Microsoft, however with malicious VBScript embedded inside in a means that the code signature stays legitimate. The DLL pattern doesn’t execute the VBScript when run by itself. However when run with Mshta.exe, Mshta.exe locates and executes the VBScript with none points.

This challenge most intently resembles CVE-2020-1599, PE Authenticode signature stays legitimate after appending HTA supported scripts signed by any software program developer. These PE+HTA polyglot (.hta recordsdata) might be exploited via Mshta.exe to bypass safety options that depend on Microsoft Home windows code signing to resolve if recordsdata are trusted. This challenge was patched as CVE-2020-1599.

On this case, we noticed arbitrary script information was appended to the signature part past the top of the ASN.1 of a legitimately signed Home windows PE file. The resultant polyglot file maintains a legitimate signature so long as the file has a file extension aside from ‘.hta’. This polyglot file will efficiently execute the script contents whether it is executed with Mshta.exe, as Mshta.exe will skip the PE’s bytes, find the script on the finish, and execute it. This evasion approach was used a number of occasions through the assault chain to alter the host settings and to launch payloads.

On the latter phases, goodware corresponding to Gpg4win Utility, NSUDO Utility, ATERA, and SplashTop, are seen put in as a part of the assault chain of this marketing campaign. These are to assist distant entry, privilege escalation, launching of payloads, encryption, and persistence. There was additionally malware corresponding to BEACON, URSNIF deployed to supply backdoor and credential-stealing capabilities.

Attack chain of the BATLOADER campaign
Assault chain of the BATLOADER marketing campaign

An Alternate An infection Chain

Alternatively, the Menace Actor could deploy ATERA immediately because the preliminary compromise. Equally, via website positioning poisoning, victims have been lured to obtain an ATERA Agent Set up Package deal. The installer masquerades as a “free respectable software program” to lure the sufferer into putting in it onto the host for the preliminary compromise.

ATERA is a Distant Monitoring Administration Software program. It supplies IT Automation, Host, and Community Discovery options. SplashTop is software program that may be built-in into ATERA is to supply distant entry to a number. The an infection chain is as follows:

  • A person performs a Google search and clicks a hyperlink to an actor-created web page on a compromised web site (Determine 1).
Google search results with link to the actor-created content on the compromised website
Determine 1: Google search outcomes with hyperlink to the actor-created content material on the compromised web site
  • The benign weblog publish (Determine 2) will abuse a Site visitors Course System (TDS)  to resolve if the person must be directed to a webpage that masquerades as a message board that has posted a obtain hyperlink (Determine 3).
Benign blog post
Determine 2: Benign weblog publish
Actor-created discussion board with malicious download link
Determine 3: Actor-created dialogue board with malicious obtain hyperlink
  • The obtain hyperlink delivers the ATERA Agent Installer Package deal, named after the search time period. (Determine 4 and Determine 5).
Atera Agent Installer Package named after the search term
Determine 4: Atera Agent Installer Package deal named after the search time period
ATERA Agent Installer Package Masquerading as Microsoft Community Visual Studio 2015
Determine 5: ATERA Agent Installer Package deal Masquerading as Microsoft Group Visible Studio 2015
  • An instance of the set up of an ATERA Agent masquerading as “Microsoft Group Visible Studio 2015 Free.msi” (Determine 6).
Installation of an Atera Agent
Determine 6: Set up of an Atera Agent
  • After the profitable ATERA Agent set up, the Splashtop will likely be downloaded to the C:WindowsTemp listing, and put in on the sufferer’s host to keep up persistence (Determine 7 and Determine 8).
  • After the profitable ATERA Agent set up, the ATERA Distant Monitoring & Administration capabilities will push down pre-configured scripts, instruments corresponding to Splashtop Streamer to be put in and run on the sufferer’s host in a real-time and automatic trend.
Auto Deployment of the Splashtop Software
Determine 7: Auto Deployment of the Splashtop Software program
  • The ATERA Agent will take away itself after the profitable Splashtop Streamer set up. The default configuration of the Splashtop Streamer is ready to AutoStart operating in background with out safety authentication to hook up with the sufferer’s host to keep up persistence.
Splashtop Streamer Default Configuration
Determine 8: Splashtop Streamer Default Configuration
  • Scripts have been additionally pushed down by ATERA Agent to carry out malicious activity corresponding to disabling functionalities and including course of and file exclusions for Microsoft Home windows Defender (Determine 9 and Determine 10).
Malicious Script that was consistent of disabling  Microsoft Windows Defender functionalities
Determine 9: Malicious Script that was constant of disabling Microsoft Home windows Defender functionalities
Malicious Script to download further payload
Determine 10: Malicious Script to obtain additional payload


In August 2021, a disgruntled CONTI affiliate leaked coaching paperwork, playbooks, and instruments used to help in CONTI ransomware operations. Mandiant has decided that a few of the exercise listed above overlaps with strategies within the playbooks disclosed in August.

Right now, as a result of public launch of this info, different unaffiliated actors could also be replicating the strategies for their very own motives and targets. These victims appear to function in a variety of industries. The menace group’s motivations are presently unknown, however we suspect that the group is financially motivated primarily based on the seemingly industry-agnostic resulting in ransomware exercise.

Managed Protection Menace Searching

Skilled defenders from Managed Protection are continually impressed by Mandiant’s international cyber menace intelligence and incident response experiences gained on the frontlines of the world’s most consequential cyber-attacks. Fueled by up-to-the-minute menace intelligence, the Managed Protection menace looking staff designs and conducts hunt missions to disclose the stealthiest menace actors. Mandiant menace looking combines highly effective information analytics, automation and elite consultants with instinct and frontline expertise. You’ll be able to observe our hunters as their work unfolds within the Managed Protection portal. Every mission is mapped to the MITRE ATT&CK framework and consists of associated intelligence so you’ll be able to take decisive motion all through your surroundings.

Technical Indicators & Warnings

















































Community Indicators







team-viewer[.]web site

zoomvideo[.]web site









rule M_Hunting_Downloader_BATLOADER_1



creator = “Mandiant”

date_created = “2021-10-28”

date_modified = “2021-10-28”

model = “1.0”

description = “Detects strings for BATLOADER pattern”

md5 = “6cd13e6429148e7f076b479664084488”



$s1 = “launch.bat” ascii

$s2 = “Error writing to batch file:” ascii

$s3 = “cmd.exe” ascii

$s4 = “/C” ascii

$s5 = “You entered an invalid electronic mail, please enter the e-mail that was registered on web site.” ascii



uint16(0) == 0x5A4D and filesize > 4KB and filesize < 5MB and all of them



ATT&CK Tactic Class



Search Open Web sites/Domains (T1593.002)

  • Search Engines (T1593.002)

Useful resource Growth

Compromise Infrastructure (T1584)

Stage Capabilities (T1608)

  • Add Malware (T1608.001)

Develop Capabilities (T1587)

Preliminary Entry

Provide Chain Compromise (T1195)


Person Execution (T1204)

  • Malicious File (T1204.002)

Command and Scripting Interpreter (T1059)

  • PowerShell (T1059.001)
  • Home windows Command Shell (T1059.003)
  • Visible Fundamental (T1059.005)


Boot or Logon Autostart Execution (T1547)

  • Registry Run Keys / Startup Folder (T1547.001)

Privilege Escalation

Exterior Distant Companies (T1133)

Protection Evasion

Masquerading (T1036)

Obfuscated Recordsdata or Info (T1027)

Indicator Removing on Host (T1070)

  • File Deletion (T1070.004)

Signed Binary Proxy Execution (T1218)

  • Mshta (T1218.005)
  • Msiexec (T1218.007)

Impair Defenses (T1562)

  • Impair Defenses: Disable or Modify Instruments (T1562.001)

Credential Entry

Steal or Forge Kerberos Tickets: Kerberoasting (T1558)


System Info Discovery (T1082)

System Community Configuration Discovery (T1016)

Command and Management

Distant Entry Software program (T1219)


Particular Due to Alip Asri in creating the IOCs for the Searching Missions. And Ana Maria Martinez Gomez, Tufail Ahmed, Stephen Eckels, Dhanesh Kizhakkinan and Jacob Thompson for his or her help on the subject.

Source link