New BATLoader Disseminates RATs and Stealers

Threat Actors Ramp Up OneNote Attachment Usage in their Attacks

Threat Actors (TAs) are using spam emails to trick individuals into downloading malware, such as Remote Access Trojans (RATs) and Stealers, to infect their devices and steal sensitive information. Cyble Research & Intelligence Labs (CRIL) closely monitors different malware families and routinely publishes informative blogs to educate our readers. Recently, we observed a new type of BAT loader used to distribute a range of RAT and Stealer malware families.

This loader utilizes a distinctive method to deliver the malicious payload to the user system. We have seen multiple malware families delivered using this new BAT loader.

The image below illustrates the infection chain of the new BAT loader.

Figure 1 – BAT Loader infection chain

Our research indicates that the new BAT loader variant is being used by OneNote Attachment, which spreads via spam email. This analysis covers the infection technique of the BAT loader and its payload delivery in detail.

Technical Analysis

Delivery of QuasarRAT

Recently, CRIL came across an Open Directory (OpenDir) that hosted several malware binaries. OpenDir is an unprotected directory with lists of direct links to files stored on the remote server. Within that, we have downloaded the binary file named “Bill.exe”, which is a new BAT loader malware.

The image below shows that OpenDir contains links to download malware files.

Figure 2 – OpenDir distributes BAT loader

Upon execution of “Bill.exe”, it drops an obfuscated BAT file named “Bill.bat” in the %temp% folder and executes it. T

The figure below shows the dropped BAT file and its obfuscated content.

Figure 3 – Dropped BAT file & its obfuscated content

The executed BAT file copies legitimate PowerShell.exe from system32 and drops it in the %temp% location as “Bill.bat.exe” to run the PowerShell content inside the obfuscated BAT file, as shown in the figure below.

Figure 4 – Obfuscated PowerShell command-line

The below image shows the de-obfuscated PowerShell script launched by the “Bill.bat” file.

Figure 5  – De-obfuscated PowerShell script

The PowerShell script performs the process of decrypting, decompressing, and loading the data as a .NET assembly and executes the malicious code within it by using the following steps:

  • Initially, the PowerShell script reads a Base64 encoded content that starts with “:: ” from the “Bill.bat” file located at the path “C:\Users\<Admin>\AppData\Local\Temp\IXP000.TMP\”.
  • Then, the Base64-encoded content is decoded using the method [System.Convert]::FromBase64String, which is an AES encrypted content.
  • Next, the encrypted content is decrypted using AES.CreateDecryptor() method. The encryption key and initialization vector (Key & IV) are obtained from hardcoded strings encoded in Base64 format.  
  • Now, a System.IO.MemoryStream object is created and filled with the AES decrypted content, which is Gzip compressed data.
  • The data is then decompressed using a method [IO.Compression.CompressionMode]::Decompress from an object System.IO.Compression.GZipStream.
  • The decompressed data (Portable Executable) is then loaded into a .NET assembly using the [System.Reflection.Assembly]::Load method.
  • The entry point of the assembly is invoked using an Invoke method, which runs the code within the assembly.

The diagram below illustrates the BAT loader delivering QuasarRAT to the victim’s system.

Figure 6 – Process of BAT loader delivering QuasarRAT

The figure below shows the static details of an extracted binary file, a 32-bit .NET compiled executable.

Figure 7 – Static details of an extracted binary

Upon execution of the .NET file, it decrypts and runs encrypted data embedded in the .NET resource directory in the name of “payload.exe”.

This “payload.exe” file is an actual malware payload “QuasarRAT”, as shown in the below figure.

Figure 8 – Loaded .NET assembly file contains QuasarRAT payload in the resource directory

Delivery of AsyncRAT

We have also observed a few samples in the wild that shows a similar technique to distribute a Remote Access Trojan named “AsyncRAT”.

The below figure shows the spam email, which contains a OneNote attachment named “”. When opened, it displays a message “CLICK TO VIEW DOCUMENT”.

Figure 9 – Spam email with OneNote attachment

When a user clicks the button present in the OneNote file to view the document, it drops the “update.bat” file in the %temp% folder and executes it. The executed BAT file exhibits the same behavior mentioned above in the technical analysis section.

The image below shows the BAT loader’s process tree delivered via spam email.

Figure 10 – Process tree of BAT loader infection from spam email

As mentioned previously, the PowerShell script retrieves and loads the payload malware “AsyncRAT” in memory, as shown below.

Figure 11- .NET assembly file contains AsyncRAT payload in the resource directory

CRIL also noticed a few more samples in the wild that exhibit similar behavior to spread malware families, such as DCRAT, Stormkitty, and RedLine stealer.


BAT loader is a highly adaptable and challenging threat that employs malspam and social engineering tactics to spread RATs, Stealers, and other malware. It gains access to the target network through batch and PowerShell scripts, making it difficult to detect. This ability to evolve and adapt makes BAT loader a persistent and dangerous malware.

Cyble Research and Intelligence Labs will continue monitoring the new malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

  • The initial infection may happen via spam emails or phishing websites, so enterprises should use security products to detect phishing emails and websites.
  • Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
User Execution
Command and Scripting Interpreter
Scripting Windows Management
Instrumentation PowerShell
PersistenceT1053Scheduled Task/Job
Privilege EscalationT1055Process Injection
Defense EvasionT1222
File and Directory Permissions Modification
Hidden Files and Directories
File Deletion
Virtualization/Sandbox Evasion
System Information Discovery
Security Software Discovery
File and Directory Discovery
Command and ControlT1071
Application Layer Protocol
Non-Application Layer Protocol

Indicators of Compromise (IOCs)

9cd24f62ecb15856de992b14f2b44f09a8ba74f1220d9ae544e6919ada0335adSha256Spam email
764250ddf94b90441193fe1c29754f231e0868d1878fdf3150e5744dd8d8c378Sha256Update.bat (AsyncRAT)
d71cdb791f3f58bd064fb840488f7e708d707b1d39e70fbe5c597f7fbcc0699eSha256Batch file
d5d8deb0a6da4352ded02c6a51c10efae2b030518247713ecb28274123b76fb8Sha256Batch file
fa78bb7d250a3893f188e5e7651070a20dd690fc6647020d5d399874e71c8e88Sha256Batch file (Stormkitty)

Comments are closed.

Scroll to Top