Mandiant researchers reported that ,”The threat actor exploited SEO terms such as free productivity apps installation or free software development tools installation to entice consumers to a compromised website and download a malicious installer.
A persistent search engine optimization (SEO) poisoning assault campaign has been noticed, exploiting users’ trust in legitimate software applications to fool them into installing BATLOADER malware on infected workstations.
Along with this software, the installer also includes the BATLOADER payload, which is executed during the installation process. By downloading next-stage executables that propagate the multi-stage infection chain, the virus works as a stepping stone for acquiring deeper knowledge into the targeted organisation.
One of the executables is a modified version of a Microsoft Windows internal component that has a malicious VBScript attached to it. The DLL file is then executed through the official “Mshta.exe” programme utilising a technique known as signed binary proxy execution.
Finally the researchers concluded that,” Furthermore, an alternate edition of the same campaign supplied the Atera remote monitoring management software directly as a result of the original compromise for further follow-on post-exploitation actions, indicating that the operators experimented with other ploys.
“Mandiant also pointed up similarities between the assaults and strategies used by the Conti ransomware gang, which were made public in August 2021. “At this moment, other unaffiliated actors may be copying the approaches for their own motives and aims due to the public availability of this material.”
Indicator Of Compromise