BatLoader distributes malware via Google Ads

SISA Weekly Threat Watch - 20 March 2023

Cybercriminals are creating malware families that are becoming increasingly dangerous by employing more structured development cycles and programming philosophies. Threat actors continue to attempt to avoid detection by security solutions by experimenting with evasion techniques. This past week researchers observed threat actors using techniques such as embedding malicious Office file types inside OneNote, spoofing legitimate apps and services, and using other traditional executable file tactics such as Java, Python, SCR, MSI, and others.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Qakbot evolves to OneNote malware distribution

There has been a rise in the number of Qakbot campaigns since the end of January 2023 that distribute malware via OneNote documents, a novel delivery technique. Qakbot was initially distributed through phishing emails and exploit kits, and it primarily targeted financial institutions in the United States and Canada. Over the years, Qakbot has evolved and become more sophisticated, incorporating new techniques such as using encrypted command and control communications, obfuscating code to avoid detection by security software, and incorporating anti-analysis techniques to make it harder for researchers to study the malware.

The campaigns alternate between two attack vectors: an email attachment containing a malicious file and a URL that can be used to download malware. OneNote documents have a call-to-action button that, when clicked, launches the payload. To prevent such attacks, it is recommended to block emails with attachments that have strange extensions, avoid malicious websites, and block rarely used top-level domains.

2. Fortinet warns of new critical unauthenticated RCE vulnerability

Fortinet has released a security advisory to address CVE-2023-25610, a heap-based buffer underflow vulnerability in FortiOS and FortiProxy with a CVSSv3 score of 9.3. According to a Fortinet advisory, a buffer underwrites vulnerability in the FortiOS and FortiProxy administrative interface might allow a remote, unauthenticated attacker to run arbitrary code on the device or perform a denial-of-service attack against the GUI.

When the incoming data is less than the available space, the problem is referred to as an underflow bug or a buffer underrun. It causes unpredictable behavior or the memory’s revelation of personal information. In addition to reviewing Fortinet’s Security Advisory and applying the relevant updates, it is recommended to disable the HTTP/HTTPS administration interface or restrict the IP addresses that can access it as workarounds.

3. GlobeImposter ransomware is being distributed with MedusaLocker

The threat actors behind MedusaLocker are behind the GlobeImposter ransomware’s active spread recently observed by the researchers. Usually, the threat actor creates the “skynet work” subdirectory within the “Music” directory before inserting malware into the same location. The compromised system is infected by the MedusaLocker actors, who also install shared folder scanners, Mimikatz, a network password recovery tool, and port scanners.

According to a recent report, the ransomware is being distributed using RDP (Remote Desktop Protocol) as the attack vector. It is worth noting that the email and onion addresses being utilized by the MedusaLocker group are also among those listed in the ransom note of the GlobeImposter ransomware. To reduce the amount of attack attempts, users are recommended to ensure that RDP is turned off while not in use. To avoid dictionary attacks and brute force, it is also advised to use a complex RDP account password that is changed frequently.

4. BatLoader abuses Google Search Ads to spread Vidar Stealer and Ursnif

The malware downloader known as BatLoader has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. The malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom. One of the key traits of the BatLoader operations is the use of software impersonation tactics for malware delivery.

This is achieved by setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection sequence when a user searching for the software clicks a rogue ad on the Google search results page. These MSI installer files, when launched, execute Python scripts that contain the BatLoader payload to retrieve the next-stage malware from a remote server. It is recommended to deploy a Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) solution to identify and manage potential security threats.

5. New Golang-based malware breaches web servers via brute-force attacks

A new Golang-based malware named GoBruteforcer has been seen targeting web servers to add to its botnet. It appears to specifically target web servers running phpMyAdmin, MySQL, FTP, and Postgres services within a network. GoBruteforcer is compatible with an array of processor architectures, including x86, x64, and ARM. By brute forcing them with weak passwords, it attempts to get access to weak Unix-like platforms.

Developers have added a multiscan module to its source code to scan and find a broader set of potential target machines. GoBruteforcer uses a Classless Inter-Domain Routing (CIDR) block to search the network at the time of the attack. GoBruteforcer launches an IRC bot containing the attacker’s URL after a successful intrusion. It begins communicating with the C2 server after that and waits for further commands from the attackers. Changing default passwords and implementing a strong password policy with 2FA are the best ways to prevent threats coming from brute forcers.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider