An ongoing information-stealing campaign is using a new BATLoader being sent to the target via spam emails, researchers found.
The emails had legitimate-looking Microsoft OneNote attachments that spread other RATs and information-stealing malware. Cyble Research and Intelligence Labs (CRIL) detected malware such as QuasarRAT, AsyncRAT, DCRAT, Stormkitty, and RedLine stealer spread via this technique.
However, the researchers noticed the difference in the method, and how the malicious payload was being delivered using BATLoader. The malware used an Open Directory (OpenDir), which generally houses direct links to files from remote servers, however, here, it hosted the malware instead. It stored the binary file named Bill.exe, which was the BATLoader malware.
The users were targeted with spam emails that asked them to click on the attached document to view it. The attached OneNote document with the BATLoader malware was titled SHIPMENT_DOCUMENTS.one.
Attack vector to deliver QuasarRAT by the BATLoader malware
Upon executing Bill.exe it dropped Bill.bat in %temp%; it was an obfuscated BAT file. BAT or batch files are used by Microsoft to run various commands, however, they can be misused to launch malware, just like any other programming language.
In the following steps, the BAT file copied legitimate PowerShell.exe from system32 and dropped it in %temp% with the name Bill.bat.exe.
It ran the data in the PowerShell inside the BAT file, finally leading to the decryption, decompression, and loading of the data as a .NET assembly.
How the code in the file is executed by the BATLoader malware
From the Bill.bat file located at C:\Users\<Admin>\AppData\Local\Temp\IXP000.TMP\, the PowerShell script fetches a Base64 encoded content starting with ‘::’ Following this, the Base64-encoded data is decoded using [System.Convert]::FromBase64String method. The resulting AES-encrypted data is decrypted using AES.CreateDecryptor() method.
Using hardcoded strings encoded in Base64, the encryption key and initialization vector Key & IV are gathered. Thereafter a System.IO.MemoryStream object gets formed with the AES decrypted data. It is in Gzip compressed form.
After that, the data is decompressed using [IO.Compression.CompressionMode]::Decompress from an object System.IO.Compression.GZipStream.
This data, which is a portable executable, gets loaded into a .Net assembly using [System.Reflection.Assembly]::Load method. The Invoke method runs the code in the assembly.
Simplified image showing the delivery of QuasarRAT (Image: Cyble)
The code in the .NET assembly is executed after which it decrypts the data. The encrypted data is run in the .NET resource directory called payload.exe. This .exe file is QuasarRAT, delivered by the BATLoader malware.
BATLoaders are initial access malware thriving on legitimate batch and PowerShell scripts. It delivers other malware; however, it all depends on one communication such as an email that contains the BATLoader. If that email is not accessed or the link is not downloaded, the campaign will be unsuccessful.
Remote Access Trojans (RAT) are spyware that lets a cybercriminal gain access to any infected system remotely to steal data, control the system, encrypt data after launching ransomware, etc. With administrative privileges, RATs can evade detection and hide under the PowerShell script. It can gain persistence and schedule tasks on the systems as the cybercriminal requires to further launch attacks successfully.