Catching Batloader Disguised as Legit Tools through Threat Vector Identification | WhoisXML API

Threat Reports

Catching Batloader Disguised as Legit Tools through Threat Vector Identification

Disguising malware as legitimate tools has always worked to trick users into downloading them, and the threat actors behind Batloader banked on just that. Trend Micro researchers tracked and analyzed Batloader-related developments toward the end of 20221 and identified 17 domains as indicators of compromise (IoCs).2

WhoisXML API researchers managed to add 5,000+ artifacts to that list, including:

  • Two unredacted registrant email addresses that led to the discovery of an additional malicious domain
  • Five IoC IP resolutions, two of which turned out to be malicious
  • 318 domains that shared the IoCs’ IP hosts, 35 of which have been confirmed to be malware hosts
  • 2,283 domains that contained strings found among the IoCs, 69 of which have been dubbed malicious
  • 2,875 domains that contained the names of the companies Batloader targeted
  • 1,158 of the 2,875 domains with the target brand names had unredacted ownership details, 51 of which were confirmed malware hosts

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
  • [2] https://otx.alienvault.com/pulse/63c9447eb94ba08faec4307d
Try our WhoisXML API for free
Get started