Threat Research

Cyble – New BATLoader Disseminates RATs And Stealers

Securonix

Keypoints

  • New BAT loader variant is used to distribute multiple RAT and stealer families via OneNote attachments in spam emails.
  • The infection chain starts with a BAT loader dropped from a OneNote spam attachment, leading to execution of a dropped BAT file that launches PowerShell content.
  • The BAT loader copies legitimate PowerShell.exe into the temp folder and runs obfuscated PowerShell code to decrypt, decompress, and load payloads in memory.
  • The decryption/decompression pipeline uses Base64, AES, and GZip to reconstruct the.NET payload, which is then executed in memory as a .NET assembly.
  • QuasarRAT and AsyncRAT payloads are delivered via the loader; additional threats include DCRAT, RedLine, and Stormkitty families observed in the wild.
  • The researchers provide several IOCs (hashes, filenames, and an OpenDir IP) and recommend defensive steps like phishing detection, MFA, updates, and user education.

MITRE Techniques

  • [T1204] User Execution – Spam emails and OneNote attachment deliver malware to users. “Threat Actors (TAs) are using spam emails to trick individuals into downloading malware” and “OneNote Attachment… spreads via spam email.”
  • [T1059] Command and Scripting Interpreter – PowerShell used to run the delivered payload. “The PowerShell script reads a Base64 encoded content… from the file located at the path ‘C:UsersAppDataLocalTempIXP000.TMP’.”
  • [T1027] Obfuscated/Compressed Files and Information – The loader uses obfuscation, Base64, AES, and gzip to hide the payload before execution. “Base64 encoded content is decoded… AES encrypted content” and “decompressed using a method… GZipStream.”
  • [T1055] Process Injection – The decrypted payload is loaded and executed in memory as a .NET assembly. “The decompressed data (Portable Executable) is then loaded into a .NET assembly… The entry point of the assembly is invoked…”
  • [T1036] Masquerading – The BAT loader disguises its activity by dropping and using legitimate system utilities. “The executed BAT file copies legitimate PowerShell.exe from system32 and drops it in the %temp% location as ‘Bill.bat.exe’ to run the PowerShell content inside the obfuscated BAT file.”

Indicators of Compromise

  • [SHA256] Bill.exe – Bill.exe associated with the BAT loader delivering QuasarRAT; 7677442c6afc8aee0f4dfaaafb69fa290d1ec8d53b84763484e25c316df267cc
  • [SHA256] Bill.bat (QuasarRAT) – cb36052775ff82522c60883729071f69b66a00413edce7d554e8af4c0d15e931 and 66329a56f2ab10fdd3050c07349ad41f802e9f100b9bd2925f9b0940ec3ff0a6
  • [IP] OpenDir – 103.146.23.112
  • [FileName] SHIPMENT_DOUMENTS.one – referenced as the OneNote attachment in spam.

Read more: https://blog.cyble.com/2023/02/02/new-batloader-disseminates-rats-and-stealers/