ModiLoader (DBatLoader) malware is distributed via phishing emails impersonating a Turkish bank, ultimately deploying SnakeKeylogger to steal sensitive information through various exfiltration methods such as email, FTP, SMTP, and Telegram. The malware uses sophisticated evasion techniques, including DLL side-loading and process injection, to avoid detection and maintain persistence on infected systems. #DBatLoader #SnakeKeylogger #PhishingCampaign
Keypoints
- ModiLoader malware is delivered through phishing emails written in Turkish, impersonating a Turkish bank to lure victims into opening malicious attachments.
- The initial payload is a BAT script that decodes and executes the DBatLoader malware (x.exe) in the Windows %temp% directory.
- DBatLoader uses multiple obfuscated BAT scripts and files (e.g., svchost.pif, netutils.dll, wxiygomE.pif) to evade detection and perform malicious activities.
- The malware employs DLL side-loading by disguising malicious files with legitimate process names like easinvoker.exe to evade security solutions.
- DBatLoader manipulates Windows Defender by adding exclusions via PowerShell to maintain stealth during operations.
- SnakeKeylogger, injected into disguised legitimate processes, steals system information, keyboard inputs, and clipboard data, exfiltrating it via Telegram and other protocols.
- The attackers use Telegram bot tokens for command and control, highlighting the use of multiple methods for data exfiltration and communication.
MITRE Techniques
- [T1566] Phishing – Delivery of malicious BAT file via email impersonating a Turkish bank (“…email is written in Turkish and is being distributed by impersonating a Turkish bank…”).
- [T1055] Process Injection – SnakeKeylogger is injected into a legitimate process disguised as wxiygomE.pif (“…SnakeKeylogger is injected…”).
- [T1574.002] DLL Side-Loading – Malicious netutils.dll is side-loaded by a legitimate process easinvoker.exe under a disguised file name svchost.pif (“…malicious netutils.dll is created in the same directory to perform DLL side-loading…”).
- [T1083] File and Directory Discovery – Use of scripts to create folders and copy files in disguised directories to evade detection (“…mkdir command is then used to create a folder (Windows SysWow64) including a space in its name to disguise it as a legitimate path…”).
- [T1112] Modify Registry – Using PowerShell to add directories to Windows Defender exclusion paths (“…subdirectories under ‘C:’ are added to Windows Defender’s exclusion paths…”).
- [T1027] Obfuscated Files or Information – Use of obfuscated and base64 encoded BAT scripts and executable to hide malicious payloads (“…Figure 3 shows the BAT code creating and executing the DBatLoader malware (x.exe) encoded in Base64…”).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Executing PowerShell commands to alter Defender settings and run payloads (“…powershell.exe under the name xkn.pif…”).
Indicators of Compromise
- [File Hash] MD5 hashes of DBatLoader samples – 7fa27c24b89cdfb47350ecfd70e30e93, a0a35155c0daf2199215666b00b9609c.
- [URL] Telegram C2 URL used for data exfiltration – https[:]//api[.]telegram[.]org/bot8135369946[:]AAEGf2H0ErFZIOLbSXn5AVeBrxgB-x1Qmk/sendDocument?chatid=7009913093.
- [File Names] Malicious files deployed include x.exe (DBatLoader), svchost.pif, netutils.dll, wxiygomE.pif, 5696.cmd, 8641.cmd, neo.cmd, and loader.exe (legitimate name with disguised file).
- [Email] Phishing emails written in Turkish impersonating a Turkish bank with malicious compressed attachments containing BAT malware.
Read more: https://asec.ahnlab.com/en/88025/