Javascript Backdoor – Bateleur
A new Javascript backdoor has been observed in recent attacks by Carbanak – an (APT) Advanced Persistent Threat group.
The backdoor is considered adaptable and versatile. Bateleur contains many features including anti-sandbox functionality, anti-analysis, retrieval of infected system information, the listing of running processes, execution of custom commands and Powershell scripts, loading of .exe and .dll (Dynamic Link Library) files, taking screenshots, uninstalling and updating itself.
Furthermore, it is possible Bateleur has the ability to steal passwords, although the latter requires an additional module from its C2 (command and control) server.
Affected Platforms:
Microsoft Windows – all versions
Recommended Action:
Ensure anti-virus is kept up to date.
As the backdoor has only just been detailed, detection may be low and will have been non-existent in the past, hence retrospective hunting on indicators in historic logs is recommended.
A full-spectrum IPS/IDS system would also mitigate the risk through active detection capabilities, as well as having a mature Security Operations Centre.
Network segregation is advisable, as it would prohibit lateral movement across corporate networks – hindering an attacker’s ability to access sensitive information from multiple parts of the business.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.