New Trojan malware attack targets restaurant chains

Dubbed Bateleur, this malware uses with macro-laden phishing emails that allow attackers to take screenshots, steal passwords, and more.
Written by Danny Palmer, Senior Writer
Baeleur Eagle

The backdoor Trojan is named after the Bateleur Eagle.

Image: iStock

A notorious hacking group is back with a new method of distributing Trojan malware, with the aim of creating backdoors into the networks of restaurant chains across the US.

Dubbed Bateleur -- after a breed of eagle -- by the researchers at Proofpoint who uncovered it, it's thought to be the work of Carbanak, a group that focuses its attacks on corporate targets.

The group has stolen over $1bn from banks worldwide and is thought to be behind a string of other attacks.

Carbanak has previously targeted hospitality organisations including retailers, merchant services, and suppliers. This time, however, it is attempting to infiltrate chain restaurants through a backdoor into their Windows systems, enabling the group to take screenshots, steal passwords, execute commands, and more.

In order to increase the chances of infection without being detected, the Javascript backdoor is accompanied by new macros, anti-analysis tools, and sandbox evasion techniques that help cloak its activity.

As with many cyberattacks, a phishing email is used to lure in the target. The message is sent from an Outlook address or a Gmail and claims to contain information about a previously discussed cheque in an attached Word document.


A phishing email used to distribute the malware to targets.

Image: Proofpoint

The attachment claims the document is encrypted and protected by 'Outlook Protect Service' or 'Google Documents Protect Service' depending on the email address sending the message. In both cases, names of authentic antivirus companies appear on the JScript document dropper in order to lure the victim into a false sense of security.

If the user is tricked into enabling editing of the document, the document accesses the malicious payload with a series of scheduled tasks, in an attempt to avoid detection.

Researchers describe the Jscript as having "robust capabilities" including anti-sandbox functionality and anti-analysis obfuscation. It's also capable of retrieving infected system information, listing running processes, execution of custom commands and PowerShell Scripts, uninstalling and updating itself, and taking screenshots.

In theory, Bateleur can also exfiltrate passwords, although this particular instruction requires an additional module from the command-and-control server in order to work. Currently, the malware lacks some of the features required to do this, and does not have backup servers, but researchers expect these to be added in the near future -- especially given the persistent nature of the attackers.

Proofpoint have identified Carbanak as the perpetrators of this campaign with "a high degree of certainty" due to some telltale signs.

Firstly, similar messages have been sent to the same targets, attempting to deliver messages containing GGLDR, a malicious script associated with Carbanak's VBScript malware.

Secondly, a Meterpreter in-memory DLL injection downloader script called TinyMet has been spotted being downloaded by Bateleur, and subsequently been used repeatedly by the group.

Researchers also note that the Powershell password grabber utilised by Bateleur contains a Dynamic-link library identical to the one found embedded in GGLDR samples.

"The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group's expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines," Proofpoint researchers Matthew Mesa and Darien Huss said in a blog post.


Editorial standards