What Is the BatLoader Malware and How Does It Work?

MakeUseOf

By David Rutland

Published Nov 18, 2022

This scary malware is spreading through fake adverts for real products. Here's everything you need to know about BatLoader.

When it comes to choosing victims for cybercrime, criminals know that any potential payoff is bigger from an organization or a company than an individual. BatLoader targets businesses for further exploitation with Living off the Land attacks.

So, what is BatLoader malware? How does it infect your device? And how can you protect yourself?

How Does BatLoader Infect Your System?

The simplest solutions are often the best—even in the world of cybersecurity. Rather than probing firewalls and open ports, or even splashing out on a targeted phishing campaign, BatLoader is incorporated into Windows MSI installers for common business software such as Zoom, TeamViewer, LogMeIn, and AnyDesk.

Criminals then buy adverts which show up at the top of search results for that software, and which directs users to imitation websites such as logmein-cloud(dot)com. This particular domain name was registered and hosted in Russia, and has been taken down. The victim then downloads and executes the binary, allowing attackers access to victims' computers.

Once installed, BatLoader works out whether it is on a home computer or a corporate network. While criminals may be able to steal moderate amounts from individuals, the potential for large-scale theft and mayhem on a business PC or network is much greater.

Is BatLoader Dangerous for Businesses?

Open MacBook on desk in dark room with hands in black fingerless gloves typing.

BatLoader is extremely dangerous for businesses, as unlike most malware, it is only partially automated. Once installed, BatLoader uses Living off the Land commands to fetch more malware.

If it is deployed on a single computer, BatLoader will download and install banking malware and information stealers. If BatLoader detects it is on a wider network, it will install remote monitoring and management malware. This gives an attacker control of your machine—allowing them to explore the network and carry out more actions. This method is guided by a person or group of people rather than by additional code.

Once attackers are in full control of your PC or network, there's no need to install any more malware, and they are able to use pre-existing software such as Windows PowerShell, scripting tools, and direct commands to administer the system. This is known as a Living off the Land (LotL) attack.

How to Prevent a BatLoader Infection

BatLoader is distributed by installer programs for Windows PCs which show up in adverts above search results.

Adverts can be bought, but it is very difficult to push a site for a counterfeit product to the front page of search results—especially when it's in competition with the genuine product. You should only download software from the official site, not the one in an advert.

You should also keep an eye on system processes and monitor your network to make sure your machines aren't talking to anyone they shouldn't.

Security Is Everyone's Responsibility

It's easy to think that security is solely the responsibility of a dedicated department or a few specialized individuals on your team. But security should be a top priority of everybody in your organization, regardless of the role. If you think that perhaps your own skills aren't up to scratch, consider taking an online cybersecurity course to help protect your company or land a job with a new one.