The malware downloader known as BATLOADER has been observed abuse of Google Ads to deliver secondary payloads such as Vidar Stealer and Ursnif.
According to the cybersecurity company eSentiremalicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.
BATLOADERas the name suggests, is a loader responsible for distributing the next stage of malware such as information stealers, banking malware, Cobalt Strike, and even ransomware.
One of the main characteristics of BATLOADER operations is the use of software impersonation tactics for delivering malware.
This is achieved by setting up similar websites that host Windows installer files posing as legitimate apps to trigger the infection sequence when a user looking for the software clicked on a bad ad on a Google search results page.
These MSI installer files, when launched, execute Python scripts containing the BATLOADER payload to capture the next stage of the malware from a remote server.
This modus operandi marks a slight change from the previous one attack chains was observed in December 2022, when MSI installer packages were used to run PowerShell scripts to download the stealth malware.
Discover the Hidden Risks of Third-Party SaaS Apps
Do you know the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize risk.
Other BATLOADER samples analyzed by eSentire also revealed additional capabilities that allow the malware to establish entrenched access to enterprise networks.
“BATLOADER has continued to see changes and improvements since it first appeared in 2022,” eSentire said.
“BATLOADER targets a variety of popular applications for impersonation. This is no accident, as these applications are commonly found in business networks and thus, they yield a more valuable foothold for monetization through fraud or hands-on-keyboard interference.”