Mandiant researchers reported that ,”The threat actor exploited SEO terms such as free productivity apps installation or free software development tools installation to entice consumers to a compromised website and download a malicious installer.

A persistent search engine optimization (SEO) poisoning assault campaign has been noticed, exploiting users’ trust in legitimate software applications to fool them into installing BATLOADER malware on infected workstations.

Along with this software, the installer also includes the BATLOADER payload, which is executed during the installation process. By downloading next-stage executables that propagate the multi-stage infection chain, the virus works as a stepping stone for acquiring deeper knowledge into the targeted organisation.

One of the executables is a modified version of a Microsoft Windows internal component that has a malicious VBScript attached to it. The DLL file is then executed through the official “Mshta.exe” programme utilising a technique known as signed binary proxy execution.

Finally the researchers concluded that,” Furthermore, an alternate edition of the same campaign supplied the Atera remote monitoring management software directly as a result of the original compromise for further follow-on post-exploitation actions, indicating that the operators experimented with other ploys.

Mandiant also pointed up similarities between the assaults and strategies used by the Conti ransomware gang, which were made public in August 2021. “At this moment, other unaffiliated actors may be copying the approaches for their own motives and aims due to the public availability of this material.”

Indicator Of Compromise

MD5

1440caafb45e52b0b315c7467fcde11f

2077d8a65c8b08d64123c4ba3f03cbdd

2141919f65ab3ff4eab25e5032e25598

229152f0b00d55796780b00c233bf641

29bc15a6f0ff99084e986c3e6ab1208c

2b16a731a2e4dedfa3db0bf3068614bc

32885d012fa3b50199d7cde9735bcb8a

32cd02c4cd8938645a744b915056d133

3393bd9d04be1ff4e537464e1b79d078

3abbec0420aaf7a9960d9eabc08006d5

3e06c87faede153d4dab5ef1066fe0d7

3ed96f460438e7fddaa48e96c65cb44c

428166c513ed98c72e35fe127a9b5be6

48942b45679b3646000ac2fb6a99e0ed

5376112bebb371cdbe6b2a996fb6dae6

5cae01aea8ed390ce9bec17b6c1237e4

5cae01aea8ed390ce9bec17b6c1237e4

60db9dff2e50e00e937661d2a6950562

67a4f35cae2896e3922f6f4ab5966e2b

67a4f35cae2896e3922f6f4ab5966e2b

6ad4e37221adf3861bfa99a1c1d5faaa

6cd13e6429148e7f076b479664084488

7127cbc56e42fc59a09fd9006dd09daa

7575ecc5ac5ac568054eb36a5c8656c4

849b46e14df68dd687e71c7df8223082

8eb5f0bbd73b5ca32e60deb34e435320

9ed2084c6c01935dc5bb2508357be5a6

9f03ad59cb06b40e6187ef6d22d3b76b

a046e40693a33a1db2aec6d171d352ce

a0b793ff07493951ed392cdc641d3d62

a45c0a83ce2ea52d8edf915b1e169b8f

b4a8b58857649fad1cf8f247a0496c95

b850920c95b694f63aa47fc991396457

b9c9da113335874d0341f0ac1f5e225d

bd20223cb57c55559db81f17ef616070

c02916697ed71e5868d8ea456a4a1871

c08de039a30c3d3e1b1d18a9d353f44c

c12452167e810cde373d7a59d3302370

c9be3451e713382ecf0f7da656cef657

cb1fcc1c0c35cd4e0515b8bf02ba3303

d14b4a96edf70c74afe3d99101daaff8

e33847174fbd2b09abc418c1338fceec

e5decd05056634eace35396a22148bf1

e66ba648666c823433c473e6cfc2e4fc

e6c2dd8956074363e7d6708fb8063001

e6c2dd8956074363e7d6708fb8063001

f535505f337708fbb41cdd0830c6a2d4

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Published by shamili0508

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s