Home / Industry

Catching Batloader Disguised as Legit Tools through Threat Vector Identification

Putting on a mask on malware has always worked to trick users into downloading them, and the threat actors behind Batloader banked on just that. Trend Micro researchers tracked and analyzed Batloader-related developments toward the end of 2022. They identified 17 domains as indicators of compromise (IoCs) (see the table below), including three that rode on the popularity of Black Friday offers—a well-known cybercriminal tactic to lure users to download malware.

Batloader IoCs
• zoomofferblackfriday[.]com
• updatecloudservice1[.]com
• updateclientssoftware[.]com
• updatea1[.]com
• t1pixel[.]com
• slackcloudservices[.]com
• logmeinofferblackfriday[.]com
• internalcheckssso[.]com
• installationupgrade6[.]com
• installationsoftware1[.]com
• grammarlycheck2[.]com
• externalchecksso[.]com
• cloudupdatesss[.]com
• clodtechnology[.]com
• anydeskofferblackfriday[.]com
• 24xpixeladvertising[.]com
• 105105105015[.]com

WhoisXML API researchers worked on adding the following artifacts to the existing list:

  • Two unredacted registrant email addresses that led to the discovery of an additional malicious domain
  • Five IoC IP resolutions, two of which turned out to be malicious
  • 318 domains that shared the IoCs’ IP hosts, 35 of which have been confirmed to be malware hosts
  • 2,283 domains that contained strings found among the IoCs, 69 of which have been dubbed malicious
  • 2,875 domains that contained the names of the companies Batloader targeted
  • 1,158 of the 2,875 domains with the target brand names had unredacted ownership details, 51 of which were confirmed malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Identifying Potential Threat Vectors through WHOIS Connections

A bulk WHOIS lookup for the IoCs led to the discovery of two unredacted email addresses used to register two of the domains.

Reverse WHOIS searches for these artifacts allowed us to identify a yet-unpublicized domain—t1pixelsite[.]com—that turned out to be malicious, too. What’s more interesting, though, is that this artifact contained the string t1pixel akin to the IoC t1pixel[.]com, including the same TLD extension, apart from having the same registrant. A comparison of the two domains’ WHOIS records showed similarities in their registrar (PDR Ltd.) and creation date (9 November 2022).

These findings could indicate that t1pixelsite[.]com is part of the Batloader infrastructure and should be blocked as well.

Uncovering More Artifacts through DNS Relations

Next, we sought to find more digital breadcrumbs through the DNS lens.

DNS lookups for the IoCs showed they resolved to five IP addresses that don’t appear in the Batloader report. Two of these were confirmed to be malware hosts and may warrant blocking on users’ part—194[.]67[.]110[.]215 and 194[.]67[.]119[.]190.

To find more potential threat entry points, we subjected the IP addresses to reverse IP/DNS lookups that enabled us to collate 318 domains. A bulk malware check for these artifacts showed that 35 were malicious. Blocking access may be critical as they, like the IoCs, could be serving Batloader.

Since the IoCs contained identifiable unique strings (see the table below for the list), we then sought to find more domains that shared them.

Domains & Subdomains Discovery Search Strings Used
zoomofferblackfriday.
updatecloudservice*.
updateclientssoftware.
updatea*.
t1pixel.
slackcloudservices.
logmeinofferblackfriday.
internalcheckssso.
installationupgrade*.
installationsoftware*.
grammarlycheck*.
externalchecksso.
cloudupdatesss.
clodtechnology.
anydeskofferblackfriday.
24xpixeladvertising.
105105105015.

Our Domains & Subdomains Discovery searches found 2,283 more artifacts, 69 of which have been dubbed malware hosts. All of them contained the string update.

Unveiling Typosquatting Properties through Domain Discovery

Trend Micro’s Batloader analysis listed 25 legitimate tools the malware posed as. We used these brands to seek out other potential attack vectors, specifically domains, created just last month.

Out of these 25 organizations, only 13 had unredacted WHOIS records—Adobe, CCleaner, FileZilla, Fortinet, GetNotes, Java, LogMeIn, Putty, Schwab, Slack, TradingView, Zoho, and Zoom. Based on this list, we performed record comparisons for the 2,875 domains possibly mimicking these companies. Of these, only six were actually owned by the companies the threat actors mimicked.

The table below shows the branded domain ownership breakdown.

Branded Domain Ownership Shares
Target CompanyOwnedNot Owned
Adobe1231
CCleaner032
FileZilla010
Fortinet013
GetNotes02
Java0930
LogmeIn02
Putty016
Schwab0102
Slack0157
TradingView0130
Zoho586
Zoom01,158

A bulk malware check for the domains containing the brands mentioned in the Batloader report showed that 51 of them were malicious.


Our IoC list expansion uncovered 5,484 web properties that could be part of the Batloader infrastructure. Of these artifacts, 158 turned out to be malicious and warrant blocklist addition. In addition, the organizations Trend Micro dubbed as Batloader imitation targets may wish to report 1,100+ domains that contained their brands as domain strings for typosquatting as part of their brand protection efforts.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global