Back in February, Mandiant reported on the discovery of a new piece of malware they called “BATLOADER”. The malware is delivered via malicious web sites that are disguised as download sites for legitimate consumer software. To increase the reach of the web sites, the attackers utilized search advertising to drive users who were looking to download certain types of software. A recent blog post by researchers at VMWare Carbon Black indicates that the tool continues to be widely distributed.
The tool can be used to deliver several different payloads and is structured so that the early stages of an attack are difficult to detect by traditional means. Once the loader is executed on a system, it utilizes built-in operating system tools to establish itself without creating an easily detectable signature. In other words, it’s extremely important to stop this malware and the web sites that distribute it before it is executed on a targeted machine, because it is unlikely to be detected during the initial stages of infection.
Unlike some malware that takes advantage of zero-day vulnerabilities to compromise a system without user interaction, BATLOADER requires the user to download and execute the malicious file. The attackers use social engineering and misleading web sites to lead users to believe they are downloading legitimate software.
In one case documented in the Mandiant report, the attackers posted a question in a forum asking where to find a copy of Microsoft Visual Studio 2015. The actor then used a second forum account to post a link to one of their malware delivery pages as the “only” location the downloader could be found. While the page linked from the forum post was made to look like a typical download site and the file had a legitimate-sounding name, the installer instead loaded the malware onto the user’s system.
This attack abuses user trust at several levels. First, by posing as legitimate software in paid advertising and in forum conversations, users may view the source as legitimate. Next, once they click on the links that are posted in seemingly legitimate places like Google search results, the files they download have names of legitimate software, making it more likely users will run them.
Fortunately, ConcealBrowse protects against this attack by making decisions about what to load and how to load it based on facts and data, not on trust. Regardless of where a user might come across the links used by the attackers behind BATLOADER – whether a forum they trust or Google search results – ConcealBrowse scans every URL and opens risky sites in a protected cloud environment, not on a user’s device. This prevents sites from automatically downloading files to the user’s machine and ensures that any files downloaded in the protected environment are scanned and, if necessary, blocked before they ever enter your network.
Because the file never makes it onto the user’s machine, the attack is stopped before it can start. This means that the malware never enters your organization’s network, and your cyber security teams never have to track down and remove the malware, repair damaged systems, or deal with lost data.