did I just hear BatLoader 😍

今の広告は危険すぎるからブロックなしでネットうろつくのシンプル危険行為なんよな トラッキングテンプレート悪用して正規の広告審査クリアしつつフィッシングやBatLoaderへの誘導してるし 偽サイトに気をつけるとかもはやそんな次元じゃなくなってきてるから根本的に表示させないのが安牌

#batloader spreading through #fake #anydesk #malvertisment hxxps://youranydesk.com/?gad_source=1&gclid=EAIaIQobChMIis2ej-eRhwMVbXFHAR0mmQBtEAMYAiAAEgImvPD_BwE Installation-V9.4.msix: virustotal.com/gui/file/22a4… Uses Pyarmor pro to for evasion Reference: trendmicro.com/en_us/researc…

Our #RSAC presentation with @thenecset on #BatLoader and #FakeBat is live! 💙 I know, some nice folks here have asked for the recording 👇rsaconference.com/library/pr…

Ref[1]:bleepingcomputer.com/news/se… Ref[2]: intel471.com/blog/malvertisi… ^ BatLoader and EugenLoader/FakeBat

Y'all pleas be careful searching for AI tools ansd soft ware. This is from-Iris Green-Writer Caution while searching for AI tools, Rogue websites distributing RedLine malware Malicious Google Search advertisements are being utilized in a BATLOADER campaign to direct users to dubious websites offering generative AI services such as OpenAI ChatGPT and Midjourney. These advertisements, flagged by eSentire, exploit the popularity of these AI services which lack first-party standalone applications. The threat actors drive AI app-seekers to imposter web pages that promote fake apps. BATLOADER, a loader malware, spreads through drive-by downloads. Users searching for specific keywords on search engines encounter fraudulent ads. Clicking on these ads redirects them to rogue landing pages hosting malware. The installer file contains an executable file and a PowerShell script that downloads and loads RedLine Stealer from a remote server. After installation, the binary uses Microsoft Edge WebView2 to load the legitimate ChatGPT and Midjourney URLs in a pop-up window, avoiding suspicion. This isn't the first time BATLOADER's operators have exploited the AI trend to distribute malware. In March 2023, eSentire reported similar attacks using ChatGPT lures to deploy Vidar Stealer and Ursnif. The use of Google Search ads for this purpose has decreased since early 2023, indicating that measures have been taken to minimize their exploitation. These developments are part of a broader wave of phishing and scam campaigns capitalizing on the increasing use of AI tools. Threat actors distribute malware and fake apps through these campaigns. In related research, Sophos identified ChatGPT-related fleeceware apps in the Google Play and Apple App Store, which manipulate users into signing up for unwanted subscriptions. In recent weeks, both Meta and Palo Alto Networks Unit 42 have warned of rising fraudulent activity that mimics the ChatGPT service. These scams aim to harvest users' credit card details, perpetrate credit card fraud, and create chatbot browser extensions that steal victims' Facebook account information. Unit 42 observed a 910% surge in monthly registrations for domains related to ChatGPT between November 2022 and early April 2023. These findings follow Securonix's discovery of the OCX#HARVESTER phishing campaign targeting the cryptocurrency sector from December 2022 to March 2023, which used More_eggs, a JavaScript downloader that loads additional payloads. In January, eSentire traced one of the key operators of the malware-as-a-service (MaaS) to an individual in Montreal, Canada. The second threat actor associated with the group has been identified as a Romanian national known as Jack.

Cluster 2: MSIX (created Advanced Installer) > compiled Python - Install.exe > Zloader/BatLoader > OpenSSL/GetAdmin.vbs Shares overlaps with @MsftSecIntel's Storm-0569. 2/x

BatLoader leading to BlackBasta is somewhat new info too, BatLoader was traditionally a Royal ransomware precursor. Yet another link between the Conti spin offs. Shows that the cybercrime syndicate remains loyal to each other.

🚨 New @MsftSecIntel report "Threat Actors misusing App Installer" 👇 💼 Storm-0569, Storm-1113, Storm-1674 and Sangria Tempest using App Installer to spread malware since Nov 2023. ☠️ Malicious MSIX packages pushed via fake ads & phishing on Microsoft Teams. 🛡️ ms-appinstaller bypasses security like Defender SmartScreen. 🕸️ Storm-0569 spreads BATLOADER via SEO poisoning, mimicking real software downloads. 📩 Storm-1674 sends fake Microsoft Teams messages with spoofed landing pages. Report: microsoft.com/en-us/security… #infosec #malware #threatintelligence #cybersecurity

🚩 This is worrying and continues to increase, multiple threat actors, including ransomware operators and initial access brokers, are abusing the @GoogleAds service, but at a higher level. Attackers manage to show the original domain (URL) in the malicious ads, which is eventually displayed to thousands of potential victims on Google's main results page. Three recent examples, thanks to Intel from Colin Cowie (Sophos) and Jérôme Segura (Malwarebytes) 👏 1.- #Pikabot (I think this is new 👀) ▪ infosec.exchange/@th3_protoC… ▪ infosec.exchange/@th3_protoC… 2.- #BatLoader ▪ infosec.exchange/@th3_protoC… 3.- #FakeBat Hunting Panel: ▪ malwarebytes.com/blog/threat… 🚨 DON'T TRUST Ads, be cautious, investigate, confirm.

Our Threat Response Unit (TRU) uncovered the handles of operators behind the BatLoader & FakeBat malware-as-a-service crime groups! TRU also tracked the threat actors’ online activities, going back to 2017 for FakeBat and 2020 for BatLoader. bit.ly/3TowJS6

Unraveling BatLoader and FakeBat: esentire.com/resources/libra…

esentire.com/resources/libra… #batloader #fakebat

Great work by @AnFam17 🦇 #BatLoader & #FakeBat

My colleague Spence and I conducted research on #Batloader and #FakeBat. We hope our findings assist the community in distinguishing between these two malware families. It's also our hope to prevent the emergence of numerous names for the same malware family. We avoided naming them Pteropus giganteus and Myotis lucifugus for a reason 🦇 You can access the report here: esentire.com/resources/libra… @esthreat

Our Threat Response Unit (TRU) uncovered the handles of operators behind the BatLoader & FakeBat malware-as-a-service crime groups! 🦇 TRU also tracked the threat actors’ online activities, going back to 2017 for FakeBat and 2020 for BatLoader. Read now: bit.ly/3TowJS6

Check out the blog discussing how BatLoader is being used for delivering malware samples seqrite.com/blog/casting-lig… #malwareanalysis #malware #research

▼詳しくはこちら #トレンドマイクロセキュリティブログ 初期侵入マルウェア「Batloader」による最新の回避手段：難読化ツール「Pyarmor Pro」を利用trendmicro.com/ja_jp/researc…

多様な技術で検知回避を図るマルウェア「Batloader」 ✅Batloaderは攻撃グループ「Water Minyades」が使用する初期侵入用マルウェア ✅デジタル署名の不正使用、ファイル容量水増し、難読化等の検知回避技術を用いる ✅感染するとランサムウェア等、他マルウェアのインストールに繋がる恐れがある

#ThreatProtection Malvertising campaign for Webex serving BatLoader, read more: broadcom.com/support/securit…