Zoom For You — SEO Poisoning to Distribute BATLOADER and Atera Agent

Keypoints

Mandiant links August 2021 CONTI leak to SEO-poisoning campaigns delivering BATLOADER and ATERA Agent.
The activity appears across victims in a wide range of industries and is suspected to be financially motivated.
Technical indicators include a large list of MD5 hashes associated with BATLOADER/ATERA samples.
Network indicators feature multiple malicious domains and two IPs used for hosting or command-and-control.
A YARA rule (M_Hunting_Downloader_BATLOADER_1) is provided to detect BATLOADER samples, including strings like “launch.bat” and “cmd.exe”.
The MITRE ATT&CK mapping covers a broad set of techniques from reconnaissance to C2, including PowerShell, Mshta/Msiexec, masquerading, and Kerberoasting.

MITRE Techniques

[T1593.002] Search Open Websites/Domains – Used to identify target websites or domains for SEO poisoning. Quote: “Search Open Websites/Domains (T1593.002)”
[T1584] Compromise Infrastructure – Used to establish infrastructure for campaigns. Quote: “Compromise Infrastructure (T1584)”
[T1608.001] Upload Malware – Stage capabilities to deliver payload. Quote: “Upload Malware (T1608.001)”
[T1587.001] Malware – Develop capabilities by deploying malware. Quote: “Malware (T1587.001)”
[T1195] Supply Chain Compromise – Initial Access via compromised software/providers. Quote: “Supply Chain Compromise (T1195)”
[T1059.001] PowerShell – Execution via PowerShell. Quote: “PowerShell (T1059.001)”
[T1059.003] Windows Command Shell – Execution via Windows Command Shell. Quote: “Windows Command Shell (T1059.003)”
[T1059.005] Visual Basic – Execution via Visual Basic. Quote: “Visual Basic (T1059.005)”
[T1547] Boot or Logon Autostart Execution – Persistence via startup execution. Quote: “Boot or Logon Autostart Execution (T1547)”
[T1547.001] Registry Run Keys / Startup Folder – Persistence via registry/run keys. Quote: “Registry Run Keys / Startup Folder (T1547.001)”
[T1133] External Remote Services – Privilege Escalation via remote services. Quote: “External Remote Services (T1133)”
[T1036] Masquerading – Defense Evasion through masquerading. Quote: “Masquerading (T1036)”
[T1027] Obfuscated Files or Information – Defense Evasion by obfuscation. Quote: “Obfuscated Files or Information (T1027)”
[T1070] Indicator Removal on Host – Defense Evasion via trace removal. Quote: “Indicator Removal on Host (T1070)”
[T1070.004] File Deletion – Defense Evasion by deleting files. Quote: “File Deletion (T1070.004)”
[T1218] Signed Binary Proxy Execution – Defense Evasion via signed proxy execution. Quote: “Signed Binary Proxy Execution (T1218)”
[T1218.005] Mshta – Signed Binary Proxy Execution via Mshta. Quote: “Mshta (T1218.005)”
[T1218.007] Msiexec – Signed Binary Proxy Execution via Msiexec. Quote: “Msiexec (T1218.007)”
[T1562] Impair Defenses – Defense Evasion by impairing protections. Quote: “Impair Defenses (T1562)”
[T1562.001] Impair Defenses: Disable or Modify Tools – Specific impairment technique. Quote: “Impair Defenses: Disable or Modify Tools (T1562.001)”
[T1558] Kerberoasting – Credential Access technique. Quote: “Kerberoasting (T1558)”
[T1082] System Information Discovery – Discovery tactic. Quote: “System Information Discovery (T1082)”
[T1016] System Network Configuration Discovery – Discovery via network config. Quote: “System Network Configuration Discovery (T1016)”
[T1219] Remote Access Software – Command and Control via remote access software. Quote: “Remote Access Software (T1219)”

Indicators of Compromise

[MD5] context – 1440caafb45e52b0b315c7467fcde11f, 2077d8a65c8b08d64123c4ba3f03cbdd, and other hashes listed (Technical Indicators & Warnings)
[Domain] context – cmdadminu[.]com, zoomvideo-s[.]com, cloudfiletehnology[.]com, and other network domains observed
[IP] context – 178.21.11[.]77, 193.124.18[.]128
[YARA] context – M_Hunting_Downloader_BATLOADER_1 rule used to detect BATLOADER samples
[File name] context – launch.bat (present in YARA strings)