Putting on a mask on malware has always worked to trick users into downloading them, and the threat actors behind Batloader banked on just that. Trend Micro researchers tracked and analyzed Batloader-related developments toward the end of 2022. They identified 17 domains as indicators of compromise (IoCs) (see the table below), including three that rode on the popularity of Black Friday offers—a well-known cybercriminal tactic to lure users to download malware.

WhoisXML API researchers worked on adding the following artifacts to the existing list:

• Two unredacted registrant email addresses that led to the discovery of an additional malicious domain
• Five IoC IP resolutions, two of which turned out to be malicious
• 318 domains that shared the IoCs’ IP hosts, 35 of which have been confirmed to be malware hosts
• 2,283 domains that contained strings found among the IoCs, 69 of which have been dubbed malicious
• 2,875 domains that contained the names of the companies Batloader targeted
• 1,158 of the 2,875 domains with the target brand names had unredacted ownership details, 51 of which were confirmed malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Identifying Potential Threat Vectors through WHOIS Connections

A bulk WHOIS lookup for the IoCs led to the discovery of two unredacted email addresses used to register two of the domains.

Reverse WHOIS searches for these artifacts allowed us to identify a yet-unpublicized domain—t1pixelsite[.]com—that turned out to be malicious, too. What’s more interesting, though, is that this artifact contained the string t1pixel akin to the IoC t1pixel[.]com, including the same TLD extension, apart from having the same registrant. A comparison of the two domains’ WHOIS records showed similarities in their registrar (PDR Ltd.) and creation date (9 November 2022).

These findings could indicate that t1pixelsite[.]com is part of the Batloader infrastructure and should be blocked as well.

Uncovering More Artifacts through DNS Relations

Next, we sought to find more digital breadcrumbs through the DNS lens.

DNS lookups for the IoCs showed they resolved to five IP addresses that don’t appear in the Batloader report. Two of these were confirmed to be malware hosts and may warrant blocking on users’ part—194[.]67[.]110[.]215 and 194[.]67[.]119[.]190.

To find more potential threat entry points, we subjected the IP addresses to reverse IP/DNS lookups that enabled us to collate 318 domains. A bulk malware check for these artifacts showed that 35 were malicious. Blocking access may be critical as they, like the IoCs, could be serving Batloader.

Since the IoCs contained identifiable unique strings (see the table below for the list), we then sought to find more domains that shared them.

Our Domains & Subdomains Discovery searches found 2,283 more artifacts, 69 of which have been dubbed malware hosts. All of them contained the string update.

Unveiling Typosquatting Properties through Domain Discovery

Trend Micro’s Batloader analysis listed 25 legitimate tools the malware posed as. We used these brands to seek out other potential attack vectors, specifically domains, created just last month.

Out of these 25 organizations, only 13 had unredacted WHOIS records—Adobe, CCleaner, FileZilla, Fortinet, GetNotes, Java, LogMeIn, Putty, Schwab, Slack, TradingView, Zoho, and Zoom. Based on this list, we performed record comparisons for the 2,875 domains possibly mimicking these companies. Of these, only six were actually owned by the companies the threat actors mimicked.

The table below shows the branded domain ownership breakdown.

A bulk malware check for the domains containing the brands mentioned in the Batloader report showed that 51 of them were malicious.

Our IoC list expansion uncovered 5,484 web properties that could be part of the Batloader infrastructure. Of these artifacts, 158 turned out to be malicious and warrant blocklist addition. In addition, the organizations Trend Micro dubbed as Batloader imitation targets may wish to report 1,100+ domains that contained their brands as domain strings for typosquatting as part of their brand protection efforts.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.