Key Takeaways

CRIL discovered a modified “Batman: Arkham City” game installer that could spread through phishing or third-party websites. Upon analysis, it was revealed that this installer contained a malware executable alongside the genuine Batman game installer. The malware executable is then utilized to deploy Meterpreter through a VBS dropper file for performing illicit actions on the victim’s system.

Overview

On November 10th, CRIL identified a Batman game installer file on VirusTotal. After examining it, it was determined that it is a modified rendition of the game “Batman: Arkham City”. The leading method of infection is through the download of the game installer from phishing or third-party sites. Once installed, this installer dropped both a legitimate Batman game installer and a malicious executable file. This malware executable led to the deployment of Meterpreter using a VBS script for carrying out malicious activities.

Technical Details

For the technical analysis, a sample named “BatmanArkhamCityUpdate1.01.exe” was analyzed. Within this SFX file, two executables were found: “BATMAN~1.EXE,” a legitimate Batman game application installer, and a malicious executable named “morho.exe”. Elevation permissions were necessary to complete the installation of the “BatmanArkhamCityUpdate1.01.exe” file. After execution with administrative privileges, the installer extracts and drops the BATMAN installer executable and malicious UPX-packed executable file in the %temp% folder. The installation further initiates the execution of “morho.exe” in the background, dropping a VB script file named “integral.vbs” in the “C:\Windows” directory and subsequently running it with “WScript.exe”.

Meterpreter

The VBS dropper includes an embedded binary executable file encoded using a series of concatenated functions. The VB script then decodes the embedded binary, which is saved as a file named “svchost.exe” in the %temp% folder and subsequently executed. This executable file is identified as “Meterpreter,” a post-exploitation tool associated with the open-source Metasploit project, recognized as a penetration testing platform. Meterpreter establishes a connection with the Command-and-Control (C&C) server to carry out various tasks on the victim’s system. Meterpreter can perform additional malicious activities, including downloading and executing further malware on the target system.

Conclusion

Threat Actors exploit widely played games like “Batman: Arkham City” and conceal malware as genuine game content to carry out various malicious actions. It is crucial to only download and install software/game applications from well-known and trusted sources and deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts. Measures should also be taken to monitor network traffic for known Metasploit signatures and suspicious activities.

MITRE ATT&CK® Techniques

• Command and Scripting – T1059.003
• Software Packing – T1027.002
• Non-Application Layer Protocol – T1071
• And more…

Indicators of Compromise (IOCs)