This report analyzes Batloader campaigns observed in Q4 2022 linked to the Water Minyades intrusion set, highlighting its use of obfuscated JavaScript, MSI/JS payloads, and abuse of legitimate tools to evade defenses. It details how Batloader can drop multiple payloads (including Ursnif, Cobalt Strike, and Royal ransomware) and how attackers rely on malvertising, SEO techniques, and various toolsets (Advanced Installer, WiX, PyArmor) to operate. #Batloader #WaterMinyades #Qakbot #RaccoonStealer #BumbleLoader #CobaltStrike #RoyalRansomware #Atera #NSudo #PyArmor #AdvancedInstaller #WiXToolset #JavaScript
Keypoints
- Batloader campaigns in Q4 2022 are tied to the Water Minyades intrusion set, which has also delivered other malware like Qakbot and Bumbleloader.
- Water Minyades defends against analysis by using very large MSI payloads and abusing legitimate tools for privilege escalation and defense evasion.
- The campaign shifted from MSI-based first-stage payloads to JavaScript-based payloads starting in late November 2022, with obfuscated JavaScript used as the initial dropper.
- Batloader’s kill chain often involves MSI/Advanced Installer and WiX toolsets to embed custom action scripts that reach out to C2 servers for the next stage.
- A variety of second-stage payloads (Ursnif, Vidar, ZLoader, Cobalt Strike, Bumbleloader, etc.) and legitimate remote tools (Atera, Syncro) are deployed post-infection.
- The actors leverage malvertising, Google Ads/Keitaro TDS, and social engineering (e.g., Black Friday-themed campaigns) to lure victims.
- Geographic distribution in Q4 2022 shows the United States leading infections, with several other countries affected.
MITRE Techniques
- [T1189] Drive-by Compromise – Initial access through malicious advertisements and fake software sites; “Victims can be redirected to these websites via malvertising techniques.”
- [T1059.007] JavaScript – First-stage payloads distributed as JavaScript files; “Starting November 27, 2022, we observed that Water Minyades actors switched to using JavaScript files instead of MSI files as the initial Batloader payload.”
- [T1218.005] Signed Binary Proxy Execution: Mshta – Abuse of Mshta.exe to execute malicious code appended to PE files; “Mshta.exe – Is abused to execute malicious code appended to PE files.”
- [T1027] Obfuscated/Compressed Files and Information – Use of obfuscated JavaScript and hyperinflated MSI sizes to evade detection; “the malicious JavaScript files as a first-stage payload” and “hyperinflating MSI file sizes … to evade sandbox analysis.”
- [T1553.002] Subvert Trust Controls: Code Signing – Abuse of MSI digital signatures and Windows Authenticode to run malicious scripts appended to signed DLLs; “abuses MSI files’ legitimate digital signatures, exploits vulnerabilities related to Windows’ PE Authenticode signatures to execute malicious scripts that have been appended to signed DLLs.”
- [T1105] Ingress Tool Transfer – The MSI/VHD/JS payloads connect to Batloader’s C2 to download next-stage payloads; “these scripts … connect to Batloader’s C&C server to download the next-stage payload.”
- [T1562.001] Impair Defenses – Stopping security software by running open-source scripts; “Batloader executes open-sourced scripts that attempt to stop services related to security software, such as Windows Defender.”
- [T1059.001] PowerShell – Abuse of PowerShell to execute malicious scripts; “PowerShell – Is abused to run malicious PowerShell scripts.”
Indicators of Compromise
- [URL] Batloader C&C/server domains – 105105105015[.]com, 24xpixeladvertising[.]com, clodtechnology[.]com, cloudupdatesss[.]com, externalchecksso[.]com, grammarlycheck2[.]com, installationsoftware1[.]com, installationupgrade6[.]com, internalcheckssso[.]com, t1pixel[.]com, updatea1[.]com, updateclientssoftware[.]com, updatecloudservice1[.]com
- [SHA256] Batloader files – 23373654d02cb7eace… (Component of 2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331), f8f3f22425ea72fafba5453c70c299367bd144c95e61b348d1e6dda0c469e219, 61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc
- [File Name] – viewer.exe and Anydesk.msi (trojanized installer and a dropped executable in the chain)