Threat Research

Efficient Distribution of DBatLoader via CMD Files

Ahnlab

ASEC identifies DBatLoader (ModiLoader) as a downloader distributed via CMD files, with obfuscated, hex-encoded payloads that decode and execute after renaming to .pif. The campaign continues to use phishing-style delivery and a multi-stage process that ultimately loads a Delphi EXE and fetches additional data from an external source. #DBatLoader #ModiLoader #AhnLab

Keypoints

  • DBatLoader (also ModiLoader) is distributed as a downloader via CMD files, previously delivered in RAR archives containing an EXE.
  • The CMD file is written in UTF-16LE (FF, FE) and becomes readable only after removing FF FE or converting to UTF-8.
  • The sample runs only on English Windows versions due to different default code pages between Korean and English OS.
  • Execution uses extrac32.exe to drop cmd.exe and certutil.exe as alpha.exe and kn.exe, then decodes data, changes the extension to .pif, and runs it.
  • Hex data is decoded with certutil -decodehex, with special handling around BEGIN/END markers and Base64 decoding rules described in the article.
  • Decoded output yields DBatLoader, an EXE compiled in Delphi that loads a DLL and retrieves/decodes additional data from an external source before execution.
  • Prevention focuses on caution with unknown emails, up-to-date V3 anti-malware, and current OS/browsers to reduce exposure to this delivery method.

MITRE Techniques

  • [T1566.001] Phishing: Attachment – The campaign was distributed via phishing emails in RAR file format containing an EXE file. Quote: β€˜phishing emails in RAR file format containing an EXE file.’
  • [T1059.003] Windows Command Shell – The CMD dropper executes and uses Windows tools to prepare the stage (e.g., via cmd.exe). Quote: β€˜When the CMD file is executed, it uses extrac32.exe, a default Windows program, to save the files cmd.exe and certutil.exe to a shared folder as alpha.exe and kn.exe.’
  • [T1027] Obfuscated/Compressed Files and Information – The code is obfuscated and contains a Base64-encoded EXE file. Quote: β€˜The code itself is obfuscated, and the file contains a Base64-encoded EXE file.’
  • [T1140] Deobfuscate/Decode Files or Information – The dropper decodes hex-encoded data using certutil -decodehex and handles Base64 encoding between markers. Quote: β€˜The argument value β€˜-decodehex’ is used to decode, and this is a command for decoding hex-encoded data.’
  • [T1036] Masquerading – The dropped payload is renamed (extension changed to β€˜.pif’) before execution. Quote: β€˜changes the file extension to β€œ.pif”, and then executes it.’
  • [T1105] Ingress Tool Transfer – The Delphi-based DBatLoader loads a DLL and retrieves additional data from an external source before executing it. Quote: β€˜The decoded DBatLoader is an EXE file compiled in Delphi. It loads the DLL contained inside, gets additional data from an external source, and decodes it before executing it.’

Indicators of Compromise

  • [MD5] – B9C3113BC5B603809DAC2515DD03E9FA, 8304C3170AD657E61B4352D0E7649B97
  • [File Name] – alpha.exe, kn.exe
  • [File Path] – C:UsersPublicAudio.mp4, C:UsersPublicLibrariesAudio.pif
  • [File Name] – certutil.exe

Read more: https://asec.ahnlab.com/en/67468/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint