Research Saturday 1.13.24
Ep 312 | 1.13.24

Dual Russian cyber gangs hit 23 companies.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Ryan Westman: So this research was precipitated due to BatLoader and FakeBat targeting our customers at a relatively high rate.

Dave Bittner: That's Ryan Westman, Senior Management of Threat Intelligence with eSentire's Threat Response Unit. The research we're discussing today is titled "Two Russian-speaking cyber gangs attack employees from 23 different companies." [ Music ]

Ryan Westman: This past year we detected and shut down cyberattacks launched at 23 of our customers by the two competing hacker groups. They're using malicious Google and Bing ads promoting popular business software such as Zoom, Slack, and Adobe, and the customers targeted are companies in the manufacturing, software, legal, retail, and healthcare industries, and the attacking threat actors belong to, like you said, the Russian-speaking Malware-as-a-Service groups called "BatLoader" and "FakeBat."

Dave Bittner: Well, let's dig in here. First of all, how did your customers find themselves in the crosshairs here of these groups? Is there any common thread that made them attractive?

Ryan Westman: The operators are creating Google and Bing ads and websites that mimic legitimate software websites to lure employees to download what they believe is the business software they are seeking. In reality, they're downloading a very stealthy and capable malware loader. The BatLoader and FakeBat operators specialize in infecting corporate employees with whatever malware their customer chooses. BatLoader attacks have led to companies being infected with the Royal ransomware, Gozi banking Trojan, and they will harvest credentials and also use remote access Trojans. Both of the operations are competing to capture more of the Malware-as-a-Service market, and they've actually developed a business formula working closely with their customers to create somewhat of a seamless end-to-end malware delivery.

Dave Bittner: Well, let's address each of them individually here. I mean, what can you tell us about BatLoader and FakeBat? What do they have in common, and where do they diverge?

Ryan Westman: Sure. So some of the BatLoader versions use Pyarmor to obfuscate their scripts, making it challenging for analysts to de-obfuscate. BatLoader also claims to provide their own proxies, domains, and servers as well as cryptors for payloads, and then both FakeBat and BatLoader offer their loaders in the form of MSIX. In the most recent updates of FakeBat and BatLoader as of December, when a user visits a malicious landing page and clicks on a link to download fake software, they'll immediately receive an app installer prompt to install the fake software, and as a result, the MSIX file is never downloaded and written to disk, effectively bypassing SmartScreen. BatLoader is the originator of this particular strain of malware. They share highly similar functionalities, but FakeBat entered the market approximately seven months after BatLoader. So the way we believe that the FakeBat operator was able to get a sample was they were a customer of the BatLoader group prior to launching their own version described as "FakeBat."

Dave Bittner: So just to be clear here, these names, "BatLoader" and "FakeBat," are these names that you all have assigned to them? Is this how they refer to themselves?

Ryan Westman: So BatLoader we believe -- I believe was first identified by Mandiant in a 2020 report. "FakeBat" is a name that has been going around in the InfoSec Twitter, and so we've decided to use that as the distinguishing piece as well.

Dave Bittner: I see. Can you give us some details on exactly how they set the lure here? I mean, folks -- is this a matter of folks hunting around for business software online, doing something like a Google search?

Ryan Westman: Exactly, yeah, and, I mean, one of the challenges here is that oftentimes the individuals running those types of searches just aren't really savvy to these kinds of risks. One of the things that we've been recommending for folks is that you update your user awareness training to include risks associated to drive-by downloads and teach them to be wary of fake Google and Bing ads promoting popular software and really learn how to recognize potentially dangerous websites, and that can be as simple as encouraging them to be cautious when clicking on links or downloading files from unknown sources.

Dave Bittner: How do these actors seem to be evading antivirus software and those sorts of things?

Ryan Westman: Yeah. So once they're inside of an environment, they have -- their loaders are actually signed with a valid EV certificate, and so that's providing them with a level of cover that allows them to gain that initial access. So that valid EV certificate actually allows them to bypass SmartScreen, and in addition to using Pyarmor, they obfuscate their Python scripts, which also includes payloads in Defender folders, which allow them to attempt to evade detection. [ Music ]

Dave Bittner: So once someone finds themselves infected with this, what's going on in their system? What's the spectrum of things that are happening behind the scenes?

Ryan Westman: Yeah. So like I mentioned, they have been associated with Royal ransomware, so being used to deliver Royal ransomware, as well as Gozi banking Trojan. They'll also harvest credentials and then install other remote access Trojans.

Dave Bittner: What is your estimation here in terms of who's behind this? And do we -- is it the usual suspects in terms of the parts of the world that they're coming from?

Ryan Westman: Yeah, that's what we believe. As I mentioned at the beginning, they are Russian-speaking Malware-as-a-Service groups, so I'll leave the listener to make a decision as to where that might lead them to believe they're located.

Dave Bittner: Yeah. You mentioned that more than a handful of your customers had been hit by these groups. What is your sense for, you know, beyond your reach, how widespread these campaigns may be?

Ryan Westman: Well, I think they're particularly effective, which is why we've seen it targeting our customer base at such a high frequency, as well as other open-source reporting that would indicate to me that they are fairly effective at what they do.

Dave Bittner: What are your recommendations, then? I mean, for folks to best protect themselves against this, what are your tips?

Ryan Westman: Yeah, for sure. So I mean, as I mentioned, the user awareness training, so updating user awareness training with respect to drive-by downloads, teach them to be wary of fake Google and Bing ads promoting popular software, and learn how to recognize potentially dangerous websites, as well as encouraging folks to be cautious when clicking on links or downloading files from unknown sources. From a more enterprise perspective, I'd really encourage those listening to confirm that your devices inside of your corporate environment are protected with endpoint detection and response solutions, and also encourage your employees to utilize password managers instead of relying on password storage features offered by web browsers. As a general recommendation, you should absolutely not be storing your passwords inside of a web browser.

Dave Bittner: Yeah. What is your estimation of the sophistication of these operators? I mean, the folks who are actually supplying BatLoader and FakeBat, are you impressed by the capabilities they've baked in here?

Ryan Westman: Well, I mean, I think I would look at what it would cost as an individual to purchase these tools as an indicator of their successful but also effectiveness. So in July of 2023, BatLoader actually introduced a $5,000 monthly package which consisted of a bot which would include a hidden VNC as well as support for web injects, a stealer from all popular browsers, which included Chrome, Firefox, and Edge, a form-grabber, and an embedded loader. In September of 2023, the BatLoader operators actually also began offering an additional payment model that required the prospective client to transfer $3,000 one time through the guarantor of the form in which the operators and the clients are doing business, and so that one-time payment of $3,000 U.S. was to demonstrate that the client was serious about doing business, and then once the money was deposited, a profit-sharing agreement was negotiated privately between the BatLoader operators and the client. So that's with respect to BatLoader. The operators behind FakeBat are offering the loader for a month for the following. Basically, an unsigned MSI loader rents for $25,000 per month, or a signed MSIX loader runs for $4,000 a month. So that kind of gives you an idea of the sophistication. If the client is also looking for additional services with respect to FakeBat, such as making sure the payloads match the malvertising theme they're running, that they're using to lure the victims, that will actually cost extra. So FakeBat states that the additional services, including payload delivery, are negotiable for a minimum of $3,000 on top of the cost of the loader.

Dave Bittner: So I suppose the notion here is that if you're a customer who's playing the game at this level with things that cost what they do here, this isn't just a casual thing that you're doing in your spare time.

Ryan Westman: Exactly, yeah.

Dave Bittner: Yeah. I'm curious, from an incident response point of view, you know, you mentioned that you've dealt with this with several of the companies you help protect. I mean, without getting into any of the specifics of those organizations, when you're dealing with something like this, what sort of things go into an incident response process?

Ryan Westman: Yeah, yeah, for sure. So I mean, one of the things that we're looking for is atomic indicators that are associated with previous incidents where we've observed BatLoader, so we're using those to conduct threat hunts across the environment. And then in addition to that, you know, some of the things that I've mentioned with respect to how they actually get into the organization or how they actually get into the environment, we're looking for the -- looking for those indicators. So talking about, you know, a Pyarmor to obfuscate Python scripts and looking for payloads in Defender folders that are attempting to evade our detection. So those are some of the places that we would start. [ Music ]

Dave Bittner: Our thanks to Ryan Westman from eSentire's Threat Response Unit for joining us. The research is titled "Two Russian-speaking cyber gangs attack employees from 23 different companies." We'll have a link in the show notes. [ Music ] The CyberWire Research Saturday podcast is a production of N2K Networks. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Stokes. Our mixer is Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. [ Music ]