Bateleur

The email contains a macro-laden Word document.

wexe Perform a “load_exe” request to C&C to retrieve an EXE, save it as debug.log and then execute the EXE via WMI ... wpowershell Same as powershell command but instead executes a PowerShell command via WMI

the macro executes the following commands... schtasks /create /f /tn ""GoogleUpdateTaskMachineCorefh5evfbce5bhfd37"" /tr ""wscript.exe //b /e:jscript %TMP%\debug.txt "" ... When Bateleur first executes it creates a scheduled task “ GoogleUpdateTaskMachineSystem” for persistence

The malicious JScript has robust capabilities that include... execution of custom commands and PowerShell scripts... powershell Perform a “load_powershell” request to the C&C to retrieve a command to execute... apowershell Same as powershell command but instead executes a PowerShell command directly with powershell.exe

cmd Perform a “load_cmd” request to the C&C to retrieve a command to execute... execute debug.cmd with cmd.exe

The email contains a macro-laden Word document. The macro accesses the malicious payload via a caption: UserForm1.Label1.Caption.

the macro creates a scheduled task whose purpose is to execute debug.txt as a JScript... /tr "wscript.exe //b /e:jscript %TMP%\debug.txt "

the macro executes the following commands... schtasks /create /f /tn ""GoogleUpdateTaskMachineCorefh5evfbce5bhfd37"" /tr ""wscript.exe //b /e:jscript %TMP%\debug.txt "" ... When Bateleur first executes it creates a scheduled task “ GoogleUpdateTaskMachineSystem” for persistence

the macro executes the following commands... schtasks /create /f /tn ""GoogleUpdateTaskMachineCorefh5evfbce5bhfd37"" /tr ""wscript.exe //b /e:jscript %TMP%\debug.txt "" ... When Bateleur first executes it creates a scheduled task “ GoogleUpdateTaskMachineSystem” for persistence

The new macros and Bateleur backdoor use sophisticated anti-analysis and sandbox evasion techniques... the first FIN7 change we observed was in the obfuscation technique found in their usual document attachments... The caption contains a “|*|”-delimited obfuscated JScript payload.

dll Perform a “load_dll” request to the C&C to retrieve a DLL... write a regsvr32 command to a file named debug.cmd and then execute debug.cmd with cmd.exe

Bateleur has anti-sandbox features... This includes detection of Virtualbox, VMware, or Parallels via SMBIOSBIOSVersion and any of the following strings in DeviceID

The backdoor also contains a process name blacklist including: autoit3.exe dumpcap.exe tshark.exe prl_cc.exe Bateleur also checks its own script name and compares it to a blacklist which could indicate that the script is being analyzed by an analyst or a sandbox

get_passwords Perform a “load_pass” request to the C&C to retrieve a PowerShell command containing a payload capable of retrieving user account credentials

get_process_list Return running process list (name + id)

get_information Return various information about the infected machine, such as computer and domain name, OS, screen size, and net view

Bateleur has anti-sandbox features... This includes detection of Virtualbox, VMware, or Parallels via SMBIOSBIOSVersion and any of the following strings in DeviceID

The backdoor also contains a process name blacklist including: autoit3.exe dumpcap.exe tshark.exe prl_cc.exe Bateleur also checks its own script name and compares it to a blacklist which could indicate that the script is being analyzed by an analyst or a sandbox

get_screen Take a screenshot and save it as screenshot.png in the install_path

The Bateleur C&C protocol occurs over HTTPS... Bateleur uses HTTP POST requests with a URI of “/?page=wait” while the backdoor is waiting for instructions.

exe Perform a “load_exe” request to the C&C to retrieve an EXE... dll Perform a “load_dll” request to the C&C to retrieve a DLL... get_passwords Perform a “load_pass” request to the C&C to retrieve a PowerShell command containing a payload

kill_process Kill process using taskkill