BatLoader Continues to Abuse Google Search Ads to Deliver Vidar…

MITRE Techniques

• [T1189] Drive-by Compromise – Delivery via Google Search Ads impersonating software. Quote: ‘Google Search Ads were used to impersonate software such as WinRAR to deliver malicious Windows Installer files.’
• [T1036] Masquerading – Windows Installer files masquerading as the above applications to launch embedded Python scripts. Quote: ‘Windows Installer files masquerading as the above applications to launch embedded Python scripts.’
• [T1543.003] Windows Installer – The MSI file contains Custom Actions to execute commands. Quote: ‘The batch file (figure 3, insert) performs the following actions:’
• [T1059.001] PowerShell – The loader uses PowerShell to download and execute payloads. Quote: ‘uses PowerShell to download and execute payloads (Redline Stealer, Ursnif, etc.)’
• [T1059.003] Command-Line/Batch – The batch file installs Python, installs packages, unpacks OpenSSL, and starts Python files. Quote: ‘The batch file … performs the following actions: 1. Installs Python 3.9.9 using an included setup binary. 2. Uses pip to install pywin32 and wmi packages. 3. Unpacks the compressed OpenSSL library files using PowerShell into multiple locations. 4. Starts two Python files in sequence after a short timeout.’
• [T1027] Obfuscated/Compressed Files and Information – Python files are protected with PyArmor and unpacked with PyArmor-Unpacker. Quote: ‘two Python files … were protected using PyArmor and require unpacking with tools such as PyArmor-Unpacker.’
• [T1218] Signed Binary Proxy Execution – WorkFolder.exe is used with a signed execution LOLBAS technique to execute control.exe. Quote: ‘leveraging a signed execution LOLBAS technique to execute control.exe.’
• [T1055] Process Injection – Ursnif’s binary is injected into the Explorer process. Quote: ‘the Ursnif binary which is injected into the Explorer process.’
• [T1016] System Network Configuration Discovery – Python checks for domain-joined systems with ARP table characteristics before payload selection. Quote: ‘checks for curating payloads for domain-joined systems with more than 2 IP neighbors in the system’s ARP table.’
• [T1562.001] Impair Defenses – Defender settings are modified to exclude paths, processes, and file extensions. Quote: ‘Decrypt control.exe.enc using the OpenSSL library … and the file is saved as control.exe.’
• [T1547.001] Boot or Logon Autostart: Registry Run Keys – Ursnif persistence via a registry Run key. Quote: ‘Registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun.’