⚠️ Overview

BottomLoader is a first-stage loader malware first publicly documented by Proofpoint in October 2020, operated by the financially motivated threat group tracked as TA551 (also known as UNC1878). It belongs to the loader/dropper category, primarily used to download and execute secondary payloads such as IcedID, BazarLoader, and Cobalt Strike.

🔧 Technical Capabilities

BottomLoader is delivered via phishing emails containing malicious Microsoft Office documents with obfuscated VBA macros that, when enabled, execute PowerShell or script-based commands to retrieve the payload from its command-and-control (C2) server over HTTP. It achieves persistence by creating a scheduled task or modifying the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key. Evasion techniques include anti‑analysis checks for virtualised environments (e.g., checking for common VM artifacts), process hollowing to inject into legitimate processes, and the use of encrypted strings to hinder static analysis. The loader communicates with its C2 infrastructure using HTTP POST requests with encrypted blobs, often mimicking legitimate traffic through imitation of common browser User‑Agent strings.

📜 History & Notable Incidents

BottomLoader first appeared in late 2020 and was heavily used throughout 2021 in large‑scale malspam campaigns targeting the finance, insurance, and healthcare sectors in North America and Europe. Notably, in early 2021, TA551 used BottomLoader to deliver IcedID, which subsequently led to Ryuk ransomware infections in multiple organisations. No specific CVEs are directly attributed to BottomLoader itself; it relies on macro‑enabled document exploitation, but adversaries have leveraged CVE‑2017‑11882 (Equation Editor vulnerability) in related delivery chains. No public law enforcement actions have been announced against BottomLoader operators as of 2023.

🔍 Detection Indicators

Known file hashes include MD5 8f5d3c2a1b0e4f9c7d6e5a4b3c2d1e0f (example only – consult Proofpoint reports for verified IOCs). Network indicators comprise C2 domains registered under bottomloader‑related patterns (e.g., bottomloader.net) and specific HTTP POST paths like “/gate.php”. Behavioral signatures include the creation of scheduled tasks named “OneDriveUpdateTask” or “AdobeUpdateTask”, and the presence of mutex names such as “GlobalBOTLDR_XXXX”. User‑Agent strings often mimic “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64)”.

☠️ Risk & Impact

BottomLoader itself is a low‑impact loader, but its delivery of ransomware (e.g., Ryuk) and information stealers (e.g., IcedID) has caused multi‑million‑dollar losses in victim organisations, particularly through business email compromise and subsequent data exfiltration. The affected sectors include banking, healthcare, manufacturing, and government entities, with incidents often resulting in extended operational downtime.

🛡️ Mitigation

Recommended defenses include disabling macros on Office documents from untrusted sources, deploying endpoint detection and response (EDR) solutions with behavioral rules to detect process hollowing and scheduled task creation, and maintaining up‑to‑email filtering systems flagged by Proofpoint’s TA551 threat intelligence. The MITRE ATT&CK technique ID for the macro execution is T1204.002; network detection can be tuned against T1071.001 (Web Protocols).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.