CyberWire Daily - Dual Russian cyber gangs hit 23 companies. [Research Saturday]
Episode Date: January 13, 2024Ryan Westman, Senior Manager, Threat Intelligence, eSentire's Threat Response Unit (TRU), is discussing their research "Two Russian-speaking cyber gangs attack employees from 23 different companies." ...They are using malicious Google ads, promoting popular business software such as Zoom, Slack, and Adobe. The customers targeted are companies in the manufacturing, software, legal, retail and healthcare industries. The attacking threat actors belong to the Russian-speaking Malware-as-a-Service (MaaS) groups called BatLoader and FakeBat. The research can be found here: Two Competing, Russian-Speaking Cybercrime Groups Attack Employees from 23 Companies in the Manufacturing, Software, Legal, Retail, and Healthcare Sectors Using Malicious Google Ads Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So, this research was precipitated due to Batloader and FakeBad targeting our customers at a relatively high rate.
That's Ryan Westman, Senior Management of Threat Intelligence
with eSentire's Threat Response Unit.
The research we're discussing today is titled
Two Russian-Speaking Cyber Gangs Attack Employees
from 23 Different Companies.
This past year, we detected and shut down cyber attacks
launched at 23 of our customers by the two competing hacker groups.
They're using malicious Google and Bing ads,
promoting popular business software such as Zoom, Slack, and Adobe.
And the customers targeted are companies in the manufacturing,
software, legal, retail, and healthcare industries.
And the attacking threat actors belong to, like, legal, retail, and healthcare industries. And the attacking threat
actors belong to, like you said, the Russian-speaking malware-as-a-service groups called
Batloader and FakeBat. Well, let's dig in here. First of all, how did your customers find
themselves in the crosshairs here of these groups? Is there any common thread that made them
attractive?
The operators are creating Google and Bing ads and websites that mimic legitimate software websites to lure employees to download what they believe is the business software they are seeking.
In reality, they're downloading a very stealthy and capable malware loader. The bat loader and
fake bat operators specialize in infecting corporate employees with
whatever malware their customer chooses. Bat Loader attacks have led to companies being
infected with the Royal Ransomware, Gozi Banking Trojan, and they will harvest credentials and also
use remote access Trojans. Both of the operations are competing to capture more of the malware as
a service market, and they've actually developed a business formula working closely with their Both of the operations are competing to capture more of the malware-as-a-service market.
And they've actually developed a business formula working closely with their customers to create somewhat of a seamless end-to-end malware delivery.
Well, let's address each of them individually here.
I mean, what can you tell us about Batloader and FakeBat?
What do they have in common and where do they diverge?
Sure. So some of the Batloader versions use PyArmor to obfuscate their scripts, making it challenging for analysts to de-obfuscate.
Batloader also claims to provide their own proxies, domains, and servers as well as
cryptos for payloads. And then both FakeBat and Batloader offer their loaders in the form of MSIX.
FakeBat and Batloader offer their loaders in the form of MSIX.
In the most recent updates of FakeBat and Batloader as of December,
when a user visits a malicious landing page and clicks on a link to download fake software,
they'll immediately receive an app installer prompt to install the fake software.
And as a result, the MSIX file is never downloaded and written to disk,
effectively bypassing smart screen.
Batloader is the originator of this particular strain of malware.
They share highly similar functionalities,
but FakeBat entered the market
approximately seven months after Batloader.
So the way we believe that the FakeBat operator
was able to get a sample
was they were a customer of the Batloader
group prior to launching their own version described as
fake bat. So just to be clear here, these names
Batloader and fake bat, are these names that you all have assigned
to them? Is this how they refer to themselves?
So Batloader, I believe, was first identified by Mantean in a 2020 report.
Fakebat is a name that has been going around in the InfoSec Twitter, and so we've decided to use that as the distinguishing piece as well.
I see. Can you give us some details on exactly how they set the lure here? I mean,
is this a matter of folks hunting around for business software online,
doing something like a Google search?
Exactly. Yeah. And I mean, one of the challenges here is that oftentimes the individuals running those types of searches just aren't really savvy to these kinds of risks.
One of the things that we've been recommending for folks is that you update your user awareness training to include risks associated to drive-by downloads and teach them to be wary of fake Google and big ads promoting popular software,
and really learn how to recognize potentially dangerous websites.
And that can be as simple as encouraging them to be cautious when clicking on links
or downloading files from unknown sources.
How do these actors seem to be evading antivirus software
and those sorts of things?
Yeah, so once they're inside of an environment,
their loaders are actually signed with a valid EV certificate.
And so that's providing them with a level of cover
that allows them to gain that
initial access. So that valid EV certificate actually allows them to bypass SmartScreen.
And in addition to using PyArmor, they obfuscate their Python scripts, which also includes
payloads in Defender folders, which allow them to attempt to evade detection.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network, continuously verifying every
request based on identity and context, simplifying security management with AI-powered automation, Thank you. Learn more at zscaler.com slash security.
So once someone finds themselves infected with this, what's going on in their system?
What's the spectrum of things that are happening behind the scenes. Yeah, so like I mentioned, they have been
associated with royal ransomware, so being used to deliver royal ransomware, as well as Gozi
banking Trojan. They'll also harvest credentials and then install other remote access Trojans.
What is your estimation here in terms of who's behind this? And is it the
usual suspects in terms of the parts of the world that they're coming from?
Yeah, that's what we believe. As I mentioned at the beginning, they are Russian-speaking
Maoist service groups. So I'll leave the listener to make a decision as to where that might lead them to believe they're located.
Yeah. You mentioned that more than a handful of your customers had been hit by these groups.
What is your sense for, beyond your reach, how widespread these campaigns may be?
Well, I think they're particularly effective, which is why we've seen it targeting our customer base at such a high frequency, as well as other open source reporting that would indicate to me that they are fairly effective at what they do.
What are your recommendations then? I mean, for folks to best protect themselves against this, what are your tips? Yeah, for sure. So, I mean, as I mentioned, the user awareness training, so updating user awareness training with respect to drive-by downloads.
Teach them to be wary of fake Google and Bing ads promoting popular software.
And learn how to recognize potentially dangerous websites, as well as encouraging folks to be cautious when clicking on links or downloading files from unknown sources.
From a more enterprise perspective, I would really encourage those listening to confirm that your devices inside of your corporate environment are protected with endpoint detection and response
solutions, and also encourage your employees to utilize password managers instead of relying on
password storage features offered
by web browsers. As a general recommendation, you should absolutely not be storing your passwords
inside of a web browser. Yeah. What is your estimation of the sophistication of these
operators? I mean, the folks who are actually supplying Batloader and FakeBat, are you
impressed by the capabilities they've baked in here?
Well, I mean, I think I would look at what it would cost as an individual to purchase these
tools as an indicator of their successful but also effectiveness. So in July of 2023,
successful but also effectiveness. So in July of 2023, Batloader actually introduced a $5,000 monthly package, which consisted of a bot which would include a hidden VNC, as well as support
for web injects, a stealer from all popular browsers, which included Chrome, Firefox, and Edge,
a form grabber, and an embedded loader. In September of 2023, the Batloader operators
actually also
began offering an additional payment model that required the prospective client to transfer
$3,000 one time through the guarantor of the firm in which the operators and the clients are doing
business. And so that one-time payment of $3,000 was to demonstrate that the client was serious
about doing business. And then once the money was deposited,
a profit-sharing agreement was negotiated privately
between the BAT loader operators and the client.
So that's with respect to BAT loader.
The operators behind fake BAT are offering the loader for a month for the following.
Basically, an unsigned MSI loader rents for $25,000 per month,
or a signed MSIX loader runs for $4,000 a month.
So that kind of gives you an idea of the sophistication.
If the client is also looking for additional services with respect to fake bat,
such as making sure the payloads match the malvertising theme that they're using to lure the victims,
that will actually cost extra.
that they're using to lure the victims,
that will actually cost extra.
So fake bat states that the additional services,
including payload delivery, are negotiable for a minimum of $3,000
on top of the cost of the loader.
So I suppose the notion here is that
if you're a customer who's playing the game at this level
with things that cost what they do here, this isn't just a casual thing that you're doing in your spare time.
Exactly. Yeah.
I'm curious, from an incident response point of view, you mentioned that you've dealt with this with several of the companies you help protect.
You've dealt with this with several of the companies you help protect.
I mean, without getting into any of the specifics of those organizations,
when you're dealing with something like this,
what sort of things go into an incident response process?
Yeah, yeah, for sure. So, I mean, one of the things that we're looking for is atomic indicators
that are associated with previous incidents where we've observed bat loader.
associated with previous incidents where we've observed Batloader. So we're using those to conduct threat hunts across the environment.
And then in addition to that, some of the things that I've mentioned
with respect to how they actually get into the organization
or how they actually get into the environment,
we're looking for those indicators.
So talking about a PyArmour to obfuscate Python scripts
and looking for payloads and defender folders
that are attempting to evade our detection.
So those are some of the places that we would start.
Our thanks to Ryan Westman from eSentire's threat response unit for joining us. The research is titled, Two Russian-Speaking Cyber Gangs Attack Employees from 23 Different Companies.
We'll have a link in the show notes. Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to
partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The Cyber Wire Research Saturday podcast is a production of N2K Networks.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. Thank you. at Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive editor is
Peter Kilby, and I'm Dave Bittner. Thanks for listening.