In recent months batloader changed it's delivery methods and leveraged Javascript files during inital infection. TrendMicro discussed the evolution of batloader in their recent article: Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks.
Todays yara rule is aiming to detect batloader javascript files. To achive this goal i'm using the yara filesize and the (new to me) count conditional.
The three samples mentioned by TrendMicro that I reviewed and used to write this rule are:
InstallerV61.jsInstallerV201.jsInstallerV30.3.js
Here's the Yara rule that I created for detecting batloader javascript malware:
rule sus_js_batloader {
meta:
author = "Colin Cowie"
description = "Detects javascript files similar to batloader"
reference = "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html"
strings:
$wscript = "ActiveXObject(\"WScript.Shell\")" nocase
$cmd = "cmd /c " nocase
$bat = ".bat" nocase
$sleep = "WScript.Sleep(" nocase
condition:
all of them
and #cmd > 3
and #bat > 2
and #sleep > 2
and filesize < 5KB
}
Todays rule seems to achieve high fidelity detection for batloader javascript malware. We'll have to wait and see if more batloader campaigns leverage javascript in the future to fully evaluate this rule!