Latest Batloader Campaigns Use Pyarmor Pro for Evasion

Trend Micro observed Batloader operators (Water Minyades) upgrade their evasion by using Pyarmor Pro to obfuscate Python components and packaging the loader in large MSI installers that drop a multi-stage Python execution chain. The chain uses UAC elevation, signed/legitimate tools (cmd.exe, arp, wmic), OpenSSL AES-256 decryption of a second-stage payload, and C2 communication to countingstatistic[.]com. #Batloader #PyarmorPro

Keypoints

Operators switched from standard Pyarmor to Pyarmor Pro to obfuscate primary malicious Python scripts, increasing difficulty of manual unpacking.
Infections are delivered via large MSI installers containing a custom action that runs a dropped Batch file (Python2.bat) to start the kill chain.
Python2.bat checks for admin rights and triggers a UAC prompt via getadmin.vbs, then silently installs WinRAR (renamed r.exe) and extracts archives including frameworkb.rar.
Extracted items include framework.py, frameworkb.py, and a customized Pyarmor runtime folder (e.g., pyarmor_runtime_005214) used to run the protected scripts.
frameworkb.py fingerprints the environment using arp and WMIC, sends the collected data to countingstatistic[.]com, and facilitates delivery of an encrypted second-stage payload.
framework.py uses OpenSSL to decrypt a downloaded AES-256-CBC payload (a.exe.enc) with password tor92SS2jds, saves it as control.exe, and executes it; discovery commands (whoami /groups, arp -a, wmic) are also run.
Second-stage payloads observed historically include banking stealers and stealers/dropper families delivered after decryption and execution of control.exe.

MITRE Techniques

[T1027] Obfuscated Files or Information – Use of Pyarmor Pro to obfuscate main malicious Python scripts (’employing Pyarmor Pro — a more sophisticated version of the regular Pyarmor protector command-line tool — to obfuscate its main malicious python scripts.’)
[T1059.006] Command and Scripting Interpreter: Python – Execution of Python payloads via command shell (‘cmd /c python.exe framework.py’)
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – MSI custom action invoking cmd.exe to run the batch file (‘”C:WindowsSystem32cmd.exe” /c C:UsersAppDataLocalReoAppPythonPython2.bat’)
[T1548.002] Abuse Elevation Control Mechanism: Bypass UAC – Batch triggers a UAC prompt using a VBScript to obtain admin privileges (‘it will execute a User Account Control (UAC) prompt via a file named getadmin.vbs’)
[T1016] System Network Configuration Discovery – Fingerprinting the network using arp to map IPs to MACs and retrieving domain information (‘execute arp.exe, mapping IP addresses to MAC addresses and retrieving the domain name via the WMI command-line (WMIC) utility.’)
[T1047] Windows Management Instrumentation – Use of WMIC to query domain information (‘wmic computersystem get domain’)
[T1140] Deobfuscate/Decode Files or Information – Use of OpenSSL to decrypt a downloaded encrypted payload (a.exe.enc) with AES-256-CBC and a hardcoded password (‘OpenSSL is used to decrypt the downloaded file (a.exe.enc) using AES-256 encryption in cipher-block chaining (CBC) mode with the password tor92SS2jds.’)
[T1071.001] Application Layer Protocol: Web Protocols – Exfiltration or C2 communication to a remote domain (countingstatistic[.]com) (‘This information is then sent to the command-and-control (C&C) server, which is countingstatistic[.]com in this case.’)

Indicators of Compromise

[Domain] C2 server – countingstatistic[.]com (used to receive fingerprinting data and deliver second-stage payloads)
[File names] Installer and stage artifacts – Python2.bat, frameworkb.rar (MSI custom action runs Python2.bat; frameworkb.rar contains Pyarmor-protected scripts and runtime)
[Files/Artifacts] Encrypted payload and decrypted output – a.exe.enc (encrypted payload), control.exe (decrypted and executed), and other stage files like framework.py
[Credentials/strings] Decryption password observed – tor92SS2jds (used with OpenSSL to decrypt a.exe.enc)

Batloader’s technical execution begins with a large MSI installer that carries a custom action to run a dropped Batch file (Python2.bat) via cmd.exe. Python2.bat verifies administrative privileges and, if absent, triggers a UAC prompt using getadmin.vbs to elevate. Once elevated, it silently installs a renamed WinRAR installer (r.exe) to extract archives such as openssl.zip and frameworkb.rar, which contain the Pyarmor-protected Python scripts and a customized Pyarmor runtime folder (e.g., pyarmor_runtime_005214).

The extracted Pyarmor-protected scripts (frameworkb.py and framework.py) are executed using the system command shell and Python interpreter (cmd /c python.exe framework.py). frameworkb.py performs local network fingerprinting by invoking arp and WMIC to map IP-to-MAC and retrieve the domain, then sends that telemetry to the operator-controlled domain countingstatistic[.]com. After the C2 delivers the next-stage payload, framework.py uses OpenSSL to decrypt the downloaded AES-256-CBC file (a.exe.enc) with the observed password tor92SS2jds, writes the result to control.exe, and executes it. Throughout the chain the agent runs local discovery commands such as whoami /groups, arp -a, and wmic computersystem get domain to profile the victim environment.

Key technical protections to watch for include detection of MSI custom actions invoking cmd.exe, execution of Pyarmor-protected Python runtimes (pyarmor_runtime_*), OpenSSL-based decryption command lines (openssl enc -aes-256-cbc -d -in a.exe.enc -out control.exe -pbkdf2 -pass pass:tor92SS2jds), and outbound connections to countingstatistic[.]com following local ARP/WMIC discovery. Hunting for patterns like parentCmd:”cmd /c python.exe framework*” can help identify this chain.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print