DBatLoader (ModiLoader) Being Distributed to Turkish Users
Recently, AhnLab SEcurity intelligence Center (ASEC) has identified cases of the ModiLoader (DBatLoader) malware being distributed via email. ModiLoader ultimately executes SnakeKeylogger. SnakeKeylogger is an Infostealer-type malware developed in .NET. It is known for its data exfiltration methods using emails, FTP, SMTP, or Telegram. Figure 1 shows the email being distributed. The email is written in Turkish and is being distributed by impersonating a Turkish bank. Users are prompted to open the malicious attachment to check their transaction history. The compressed file contains the BAT malware shown in Figure 2.
Figure 1. Email body
Figure 2. Inside the rar compressed file (bat file)
Figure 3 shows the BAT code creating and executing the DBatLoader malware (x.exe) encoded in Base64 in the %temp% directory. Figure 4 is the image of the created DBatLoader malware (x.exe).
Figure 3. Main part of the bat script (creating and executing x.exe)
Figure 4. x.exe (DBatLoader) created in the Temp directory
Figures 5 and 6 show the obfuscated and decrypted forms of three bat scripts (5696.cmd, 8641.cmd, neo.cmd) executed by DBatLoader (x.exe). DBatLoader uses these bat scripts and files such as svchost.pif, netutils.dll, and wxiygomE.pif to achieve its attack goals of evading detection and executing keyloggers.
Figure 5. DBatLoader executing the obfuscated bat script
Figure 6. DBatLoader decrypting the bat script
Attack Process
1. Evasion of Detection
Figure 7 is the 8641.cmd script of the bat script. The Esentutl command is used to copy cmd.exe as alpha.pif. The mkdir command is then used to create a folder (Windows \SysWow64) including a space in its name to disguise it as a legitimate path.
Figure 7. Functions of 8641.cmd
DBatLoader (x.exe) creates a program with the disguised name svchost.pif in the Windows \SysWow64 directory. As shown in Figure 8, this program has the same name as the legitimate process easinvoker.exe, and an malicious netutils.dll is created in the same directory to perform DLL side-loading. As a result, the legitimate easinvoker.exe process exhibits malicious behavior. Figure 9 shows the decrypted 5696.cmd script. The script executes svchost.pif to load the malicious netutils.dll as a side-loaded DLL. It then uses the ping command to introduce a 10-second delay before deleting the malicious netutils.dll file. Figure 10 shows the functions of the malicious netutils.dll, which involves decoding encoded commands to execute a command that runs the neo.cmd file.
Figure 8. Legitimate program (easinvoker.exe) with the file name disguised as svchost.pif
Figure 9. Functions of 5696.cmd
Figure 10. Functions of manipulated netutils.dll (executing neo.cmd)
[Figure 11] shows the contents of the neo.cmd script, which uses the extrac32 command to copy powershell.exe under the name xkn.pif. Through a command executed on xkn.pif (powershell.exe), subdirectories under “C:” are added to Windows Defender’s exclusion paths, achieving the goal of bypassing detection.
Figure 11. Functions of neo.cmd
2. Information Theft (SnakeKeyLogger)
Figure 12 shows the process tree of behaviors executed from DBatLoader (x.exe). After achieving detection evasion, a file named wxiygomE.pif is created. The program is a module (loader.exe) of the legitimate mercurymail program, shown in Figure 13. Afterward, the legitimate process with a disguised name (wxiygomE.pif) is executed, and SnakeKeylogger is injected.
Figure 12. Process tree of DbatLoader (x.exe)
Figure 13. Normal program with a disguised file name (loader.exe)
Figure 14 is the list of functions corresponding to the functions of SnakeKeylogger injected into the legitimate process (wxiygomE.pif). These include malicious functions such as exfiltrating keylogging data such as system information, keyboard inputs, and clipboard data.
Figure 14. Function list of SnakeKeylogger
Figure 15 corresponds to the threat actor’s configuration value in SnakeKeylogger. The configured Telegram bot token is used to transmit the exfiltrated information to the Telegram C2.
Figure 15. Threat actor’s configuration for SnakeKeylogger
Conclusion
The DbatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies. As it is difficult to detect the infection when targeting individuals, individual users need to be cautious and maintain a strong sense of security by being careful about initial access techniques such as executing script extensions from phishing emails and keeping their security products up-to-date to prevent such attacks.
