Bateleur JavaScript Backdoor

Bateleur was first observed in 2017,  it is a JavaScript-based backdoor tool created by the FIN7 advanced persistent threat group. It has been used in targeted campaigns against governmental, financial, health and engineering organisations globally.

Bateleur is typically distributed via e-mail as a malicious Word document in spam campaigns directed at target organisations but has also been observed being delivered directly to previously compromised devices.

Once opened, macros in the document extract an obfuscated JavaScript payload and save it as debug.txt. Bateleur also has anti-VM capabilities, although these are only enabled in certain variants.

Once installed, Bateleur will connect to a command and control server over HTTPS and await instructions. It can collect system and user information, execute commands and PowerShell scripts, install secondary malware and upgrade its functionality with additional modules.

Proofpoint researchers have determined with a high degree of certainty that this backdoor is being used by the same group that is referred to as FIN7 by FireEye and as Carbanak by TrustWave and others.

There is also a small Meterpreter downloader script, called Tinymet by the actor(s) that has repeatedly been observed being utilized by this group at least as far back as 2016 as a Stage 2 payload. In at least one instance, Proofpoint observed Bateleur downloading the same Tinymet Meterpreter downloader

Further technical details on this can be found here

Indicators of Compromise (IOCs)

Bateleur Document Droppers

cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8

c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9

FIN7 Password Stealer Module

8c00afd815355a00c55036e5d18482f730d5e71a9f83fe23c7a1c0d9007ced5a

Bateleur C&C

195.133.48[.]65:443

195.133.49[.]73:443

185.154.53[.]65:443

188.120.241[.]27:443

176.53.25[.]12:443

5.200.53[.]61:443

Tinymet C&C

185.25.48[.]186:53

46.166.168[.]213:443

188.165.44[.]190:53