Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
This trojan is a detection of the Python file components of the malware family BatLoader. BatLoader is a Microsoft Windows Installer file (MSI) that uses batch and PowerShell scripts to gain a foothold on a target device to deliver other malware. The threat actors use search engine optimization (SEO) poisoning to lure users into downloading the malware from compromised websites.
For information about BatLoader and other human-operated malware campaigns, read this blog post:
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
When launched, the BatLoader MSI file initiates the embedded Python script. The Python script downloads additional files like an encrypted executable that gets launched.
The files attempt to launch with admin rights before downloading and launching more files, including Cobalt Strike and remote management tools.
Prevention
Guidance for individual users
Keep your operating system and antivirus products up to date.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.
Guidance for enterprise administrators
Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
Initial access
Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites. Turn on network protection to block connections to malicious domains and IP addresses.
Security controls
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Turn on tamper protection features to prevent attackers from stopping security services.
Use the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities. Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files.
Credential hygiene
Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit the installation of RATs and other unwanted applications.
Presence of a suspicious MSI file that contains a cabinet file (CAB) with a malicious Python script:
