Batman, Batman Arkham City, Meterpreter

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) encountered a modified “Batman: Arkham City” game installer file that could propagate through phishing or third-party websites.
  • Upon analysis, we determined that this installer is a modified version of the BatmanAC game, containing a malware executable alongside the genuine Batman game installer.
  • The malware executable is employed to initiate the deployment of Meterpreter using a VBS dropper file.
  • Meterpreter is then utilized to perform other malicious activities, including downloading additional malware from a remote server to the victim’s system.

Overview

On November 10th, CRIL came across a Batman game installer file on VirusTotal. After examining the installer file, we determined that it is a modified version of the popular cross-platform game “Batman: Arkham City (BatmanAC).”

Batman Arkham City is a popular action-adventure video game developed by Rocksteady Studios and released in 2011. The game is based on the DC Comics superhero Batman and his fight against crime in Gotham City. The game features a large open world, stealth mechanics, detective skills, gadgets, and combat.

The infection method is initiated with the download of a BatmanAC game installer file from phishing

websites or third-party sites that provide software and game applications. Upon installation, the installer drops a genuine Batman game installer file alongside a malicious executable file. The execution of this malware executable leads to the deployment of a VB script, subsequently dropping a Meterpreter that was encoded and embedded within the VBS file.

Meterpreter is a post-exploitation tool that belongs to the Metasploit framework, which is an open-source penetration testing tool. Meterpreter is specifically designed to provide a powerful, extensible platform for performing various post-exploitation activities on a compromised system. It allows a user to interact with the compromised system, execute commands, and perform a wide range of malicious actions.

The image below shows the infection chain of the compromised “Batman: Arkham City” game installer deploying Meterpreter.

Meterpreter
Figure 1 – Overall Infection Chain

Initial Infection

The origin of the modified game installer remains unidentified. It is presumed that the initial dissemination of the infection may begin from individuals downloading game applications from phishing websites or third-party sites that offer software and game applications.

Technical Details

For this technical analysis, we analyzed a sample named “BatmanArkhamCityUpdate1.01.exe,” which is a 64-bit Microsoft Cabinet self-extracting archive (SFX) file. The figure below shows the icon of the modified version of the Batman: Arkham City game installer application.

Batman, Meterpreter
Figure 2 – Modified BatmanAC game installer file icon

Within this SFX file, there are two distinct executables: “BATMAN~1.EXE,” a legitimate and safe Batman game application installer, and a malicious executable named “morho.exe,” as shown below.

Batman, Meterpreter
Figure 3 –  Files inside the modified BatmanAC game installer

Elevation permissions are necessary to complete the installation of the “BatmanArkhamCityUpdate1.01.exe” file. Upon execution of the Microsoft cabinet file with administrator privileges, it extracts and drops the BATMAN installer executable and malicious UPX-packed executable file in the below location of the %temp% folder.

  • C:\Users\<Admin>\AppData\Local\Temp\IXP000.TMP\BATMAN~1.EXE
  • C:\Users\<Admin>\AppData\Local\Temp\IXP000.TMP\morho.exe

The image below illustrates the extraction process of the Batman Arkham City game.

Meterpreter, Batman, Installation
Figure 4 – BatmanAC game installation process

The figure below shows the dropped binary files of the Batman: Arkham City game into the victim’s system.

Batman, Meterpreter
Figure 5 – Genuine BatmanAC game application files

After dropping all the executable files, the installer first initiates the execution of “morho.exe” in the background.

Upon execution, it drops a VB script file named “integral.vbs” in the “C:\Windows” directory and subsequently runs it utilizing “WScript.exe.” The below figure shows the obfuscated content of the dropped VBS file.

VBS, Malware, meterpreter
Figure 6 – Obfuscated VBS file dropped by malware executable

The VBS dropper includes an embedded binary executable file encoded using a series of concatenated Chr() functions, as shown below.

VBS, Meterpreter
Figure 7 – Decoded content of the embedded binary present in the VB Script

The VB script performs the tasks of decoding the embedded binary, saving it as a file named “svchost.exe” in the %temp% folder, executing it, and subsequently removing the file to hide its traces. This executable file is identified as a tool known as “Meterpreter.”

Meterpreter

The Meterpreter payload is a post-exploitation tool associated with the open-source Metasploit project, recognized as a penetration testing platform. Cybersecurity professionals and ethical hackers widely use Metasploit to simulate and test security vulnerabilities in computer systems, networks, and applications. Despite its intended use by ethical hackers, some TAs utilize this framework for nefarious purposes in the creation and deployment of malware.

Meterpreter is a powerful, extensible tool to perform various post-exploitation activities on the victim’s system. It enables the TAs to engage with the compromised system, execute commands, and carry out a diverse set of tasks, such as File System Manipulation (download, upload, and delete files), Privilege Escalation (attempt to gain higher levels of access), Network Reconnaissance (scan and gather information about the network), Keylogging (capture keystrokes), System Information Gathering (Collect information about the target system).

Upon execution, Meterpreter (“svchost.exe”) establishes a connection with the Command-and-Control (C&C) server to carry out various types of tasks in the compromised system.

Malware Config

FamilyMetasploit
Versionwindows/download_exec
C&Chxxp[:]//kraken[.]zapto[.]org:80/INITM

The figure provided below illustrates the Shellcode featuring checksum values of API functions, which is utilized for establishing a connection to the C&C server.

Checksum, API, Meterpreter
Figure 8 – Checksum of API functions used to connect the C&C server

Upon establishing a successful connection with the C&C, Meterpreter can perform post-exploitation activity, including downloading and executing additional malware to the target system.

Following the execution of Meterpreter, the “BatmanArkhamCityUpdate1.01.exe” starts the installation of the BatmanAC game application, misleading the victim into believing that they have successfully installed the game, as shown in the below process tree figure.

Figure 9 – Process Tree

Conclusion

Threat Actors frequently focus on widely played games such as “Batman: Arkham City” because of the substantial user base and the inherent trust users have in well-established software. Exploiting this trust, attackers conceal malware as genuine game content, ensuring a wider impact for their malicious activities. This tactic allows them to engage in various malicious actions, taking advantage of the popularity and credibility of the targeted games.

In this case, the TAs developed an installer file that contains a genuine BatmanAC game installer alongside a malicious executable file. When the malware executable is executed successfully, it triggers the deployment of Meterpreter. This tool is then utilized to distribute further malware onto the target system, enabling a range of malicious activities.

Our Recommendations

  • The initial infiltration might take place via phishing or third-party websites. It is crucial to only download and install software/Game applications from well-known and trusted sources.
  • Employ network intrusion detection and prevention systems to monitor network traffic for known Metasploit signatures and suspicious activities.
  • Deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts.
See Cyble Vision in Action

MITRE ATT&CK® Techniques

Tactic TechniqueProcedure
Execution  (TA0002)Command and Scripting
Interpreter: Windows
Command Shell
(T1059.003)		Adversaries may abuse command and script
interpreters to execute commands, scripts, or
binaries.
Execution  (TA0002)Scripting (T1064)Executes visual basic scripts
Defense Evasion (TA0005)Obfuscated Files or
Information
(T1027)		Sample is packed with UPX.
Defense Evasion (TA0005)Software Packing
(T1027.002)		Packed with generic packer like UPX.
Defense Evasion (TA0005)Masquerading
(T1036)		Creates files inside the system directory and
creates malware file with genuine system
filename (svchost.exe).
C&C
(TA0011)		Web Protocols
(T1071.001)		Adversaries may communicate using HTTP for
C&C communications
C&C
(TA0011)		Non-Application Layer
Protocol (T1071)		Performs DNS lookups

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
9d604af60870ff64834c2aad1f660a5c 0043ebc3ba7c98d8058d432c8899ecf23cde0614 5fedc28dc4e14dd4d5066b3642a4fe46848afd27ae1259de7935c2f6e41694b4MD5 SHA1 SHA256Modified BatmanAC game installer
f9496cf4193234dac7557d9da1478a10 733dc420f6cdd65054a7fec38eb8beaa0848d00e 5db79d096541340be8b940564e15aa82b2f465aca0dd52f39025dd6772c0c204MD5 SHA1 SHA256morho.exe
4e8e46ca0c736e88ac7e9a93ea164cfd 0e49cbcef909449d04b3033650e5fb1a58b8965c e2027d338d2177209109ca3867d5a84f8fda6dfe40c1a4a0afb63f894bea4f44MD5 SHA1 SHA256integral.vbs
22b03f41e08b42d72978f71d9687ff18 087d76ed3d2ad95c9dd679137755ea8204f8d98d 61d740761cfd9834dcf7865fcef67233cd97d327520b0170678db3ded722e8b6MD5 SHA1 SHA256svchost.exe (Meterpreter)
hxxp[:]//kraken[.]zapto[.]org/INITMURLC&C server

Related Posts

Scroll to Top