Security Experts:

Connect with us

Hi, what are you looking for?



Carbanak Hackers Using Bateleur Backdoor

The financially-motivated Carbanak hacker group has added a new JScript backdoor to its cyber-weapons arsenal, along with updated macros, Proofpoint security researchers warn.

The financially-motivated Carbanak hacker group has added a new JScript backdoor to its cyber-weapons arsenal, along with updated macros, Proofpoint security researchers warn.

Also referred to as FIN7, the multinational gang of cybercriminals has been active for at least two years and has been associated with a variety of incidents this year. In 2015, Kasperskly Lab first outed the group, saying that had hit more than 100 banks across 30 countries and made off with up to one billion dollars over a period of roughly two years.

In early May, the group was said to have started using shims for process injection and persistence, only one week after adopting new phishing techniques, including the use of hidden shortcut files (LNK files) for target compromise.

Recently, the group started using new macros and a commodity backdoor called Bateleur in attacks against United States-based chain restaurants, Proofpoint reveals. Previously, the group had been targeting hospitality organizations, retailers, merchant services, suppliers and others.

The security researchers also note that both the new macros and the backdoor use sophisticated anti-analysis and sandbox evasion techniques. The group started using macro documents to drop the previously undocumented JScript backdoor in June, marking a switch from their customary GGLDR payload. Both the macro and the malware have seen multiple updates since June.

Depending on the type of account the spam email is sent from (i.e. Outlook, Gmail), the attachment document packs a matching lure by claiming that the document as encrypted by the mail service’s Protect Service. The macro-enabled document grabs the malicious payload from a caption, saves the content to debug.txt, then creates a scheduled task to execute debug.txt as a JScript. The macro sleeps for 10 seconds, then deletes the scheduled task

The malicious JScript – which is the Bateleur backdoor – has anti-sandbox and anti-analysis (obfuscation) functionality. 

The malware can also retrieve a PowerShell command containing a payload capable of retrieving user account credentials, meaning that it could also potentially target user’s passwords with the help of an additional module, Proofpoint says.

Proofpoint has observed the malware jump from version 1.0 to over the course of a single month and reveals that several commands were added with the update, including the ability to execute a fetched EXE or PowerShell commands via WMI.

“Although Bateleur has a much smaller footprint than GGLDR/HALFBAKED, lacks basic features such as encoding in the C&C protocol, and does not have backup C&C servers, we expect the Bateleur developer(s) may add those features in the near future,” the security researchers say.

Proofpoint claims it has determined with a high degree of certainty that Bateleur is being used by the FIN7/Carbanak group, and also provides some evidence to sustain the claim.

In June, similar messages separately dropped GGLDR and Bateleur to the same target, and the timing and similarity suggest the same actor was behind all of them, especially with some messages “sharing very similar or identical attachment names, subject lines, and/or sender addresses.”

Bateleur was also observed downloading the Tinymet Meterpreter downloader, a tool employed by Carbanak hackers since at least as far back as 2016. A new command tinymet recently added to the FIN7-linked GGLDR/HALFBAKED backdoor was also observed downloading a JScript version of the Tinymet Meterpreter downloader.

“We continue to see regular changes to the tactics and tools used by FIN7 in their attempt to infect more targets and evade detection. The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines,” the security researchers conclude.

Related: Carbanak Hackers Use Shims for Process Injection, Persistence

RelatedFIN7 Hackers Change Phishing Techniques

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.