Bateleur JavaScript Backdoor
Bateleur was first observed in 2017, it is a JavaScript-based backdoor tool created by the FIN7 advanced persistent threat group. It has been used in targeted campaigns against governmental, financial, health and engineering organisations globally.
Bateleur is typically distributed via e-mail as a malicious Word document in spam campaigns directed at target organisations but has also been observed being delivered directly to previously compromised devices.
Once opened, macros in the document extract an obfuscated JavaScript payload and save it as debug.txt. Bateleur also has anti-VM capabilities, although these are only enabled in certain variants.
Once installed, Bateleur will connect to a command and control server over HTTPS and await instructions. It can collect system and user information, execute commands and PowerShell scripts, install secondary malware and upgrade its functionality with additional modules.
Proofpoint researchers have determined with a high degree of certainty that this backdoor is being used by the same group that is referred to as FIN7 by FireEye and as Carbanak by TrustWave and others.
There is also a small Meterpreter downloader script, called Tinymet by the actor(s) that has repeatedly been observed being utilized by this group at least as far back as 2016 as a Stage 2 payload. In at least one instance, Proofpoint observed Bateleur downloading the same Tinymet Meterpreter downloader
Further technical details on this can be found here
Indicators of Compromise (IOCs)
Bateleur Document Droppers
cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8
c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9
FIN7 Password Stealer Module
8c00afd815355a00c55036e5d18482f730d5e71a9f83fe23c7a1c0d9007ced5a
Bateleur C&C
195.133.48[.]65:443
195.133.49[.]73:443
185.154.53[.]65:443
188.120.241[.]27:443
176.53.25[.]12:443
5.200.53[.]61:443
Tinymet C&C
185.25.48[.]186:53
46.166.168[.]213:443
188.165.44[.]190:53
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.