Javascript Backdoor - Bateleur

A new Javascript backdoor has been observed in recent attacks by Carbanak - an (APT) Advanced Persistent Threat group.

Threat ID:: CC-1564
Category:
Threat Severity:: Medium
Threat Vector:: Backdoor
Published:: 9 August 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new Javascript backdoor has been observed in recent attacks by Carbanak - an (APT) Advanced Persistent Threat group.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

The backdoor is considered adaptable and versatile. Bateleur contains many features including anti-sandbox functionality, anti-analysis, retrieval of infected system information, the listing of running processes, execution of custom commands and Powershell scripts, loading of EXEs and DLLs (Dynamic Link Library), taking screenshots, uninstalling and updating itself.

Furthermore, it is possible Bateleur has the ability to exfiltrate passwords, although the latter requires an additional module from its C2 (command and control) server.

Remediation steps

Type	Step
	As the backdoor has only just been detailed, detection may be low and will have been non-existent in the past for signature based systems, hence retrospective hunting on indicators in historic logs is recommended. A full-spectrum IPS/IDS system would also mitigate the risk through active detection capabilities, as well as having a mature Security Operations Centre. Network segregation is advisable, as it would prohibit lateral movement across corporate networks - hindering an attacker's ability to access sensitive information from multiple parts of the business.

Type

Step

As the backdoor has only just been detailed, detection may be low and will have been non-existent in the past for signature based systems, hence retrospective hunting on indicators in historic logs is recommended.
A full-spectrum IPS/IDS system would also mitigate the risk through active detection capabilities, as well as having a mature Security Operations Centre.
Network segregation is advisable, as it would prohibit lateral movement across corporate networks - hindering an attacker's ability to access sensitive information from multiple parts of the business.

Last edited: 17 February 2020 11:33 am