Full Report
Recently, AhnLab SEcurity intelligence Center (ASEC) has identified cases of the ModiLoader (DBatLoader) malware being distributed via email. ModiLoader ultimately executes SnakeKeylogger. SnakeKeylogger is an Infostealer-type malware developed in .NET. It is known for its data exfiltration methods using emails, FTP, SMTP, or Telegram. Figure 1 shows the email being distributed. The email is written […]
Analysis Summary
# Tool/Technique: ModiLoader / DBatLoader
## Overview
ModiLoader, also known as DBatLoader, is a malware loader distributed via phishing emails that ultimately executes the SnakeKeylogger stealer. It uses multiple layers of batch scripts and process manipulation, including DLL side-loading and process injection, to evade detection and achieve its objectives.
## Technical Details
- Type: Malware Family (Loader)
- Platform: Windows
- Capabilities: Initial access via phishing, multi-stage execution using batch scripts, process disguise, DLL side-loading, process injection, execution of keylogger.
- First Seen: Not explicitly stated, but recent distribution identified.
## MITRE ATT&CK Mapping
The chain of attacks involves multiple techniques:
- **Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- **Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell
- **Defense Evasion**
- T1564.003 - Hide Execution of Protected Files
- T1574.001 - DLL Side-Loading
- T1055 - Process Injection
- **Persistence**
- T1548.002 - Bypass User Account Control (Implied via policy changes)
- **Credential Access**
- T1056.001 - Input Capture: Keylogging
## Functionality
### Core Capabilities
- Delivery via email impersonating a Turkish bank, prompting users to open a malicious attachment (compressed file containing a BAT script).
- Multi-stage execution initiated by the initial BAT script, which decodes and executes `DBatLoader` (`x.exe`) from the `%temp%` directory.
- Uses obfuscated batch scripts (`5696.cmd`, `8641.cmd`, `neo.cmd`) for successive stages of execution.
### Advanced Features
- **File/Process Disguise:** Creates files with names similar to legitimate system artifacts (e.g., copying `cmd.exe` to `alpha.pif`, creating `svchost.pif`).
- **DLL Side-Loading:** Creates a malicious `netutils.dll` alongside a legitimate program (`easinvoker.exe`), causing the legitimate process to load the malicious library.
- **Defense Bypass:** Uses `neo.cmd` to execute PowerShell, which adds subdirectories under "C:" to Windows Defender's exclusion paths, bypassing detection.
- **Loading Final Payload:** Executes SnakeKeylogger by injecting it into the legitimate MercuryMail process (`loader.exe` disguised as `wxiygomE.pif`).
## Indicators of Compromise
- File Hashes:
- MD5: `7fa27c24b89cdfb47350ecfd70e30e93`, `a0a35155c0daf2199215666b00b9609c`
- File Names:
- Initial: Script extensions, compressed files (RAR/ZIP).
- Stage 1: `x.exe` (DBatLoader in %temp%), `.bat` scripts (`5696.cmd`, `8641.cmd`, `neo.cmd`).
- Stage 2: `svchost.pif`, `netutils.dll`, `wxiygomE.pif`.
- Stage 3: `alpha.pif`, `xkn.pif`.
- Registry Keys: Not specified.
- Network Indicators:
- Telegram C2 URL (defanged): `hxxps[:]//api[.]telegram[.]org/bot8135369946[:]AAEGf2H0ErFZIOLbSXn5AVeBr_xgB-x1Qmk/sendDocument?chat_id=7009913093`
- Behavioral Indicators:
- Use of `esentutl` command to copy `cmd.exe`.
- Use of `ping` command to introduce a 10-second delay.
- Execution of `powershell.exe` to modify Windows Defender exclusion settings.
- Evidence of DLL side-loading against `easinvoker.exe`.
## Associated Threat Actors
The article does not explicitly name the threat actor distributing this variant, but it is linked to the final payload, SnakeKeylogger.
## Detection Methods
- Signature-based detection: Signatures for the known malware hashes and file names.
- Behavioral detection: Monitoring for chained execution involving BAT scripts, creation of files with unusual extensions (`.pif`), suspicious calls to `esentutl` or `ping` for stagemanagement, and processes loading known malicious DLLs.
- YARA rules: Could be developed targeting the specific decoding routines or static strings within the DBatLoader binary or the associated batch scripts.
## Mitigation Strategies
- Prevention measures: Implement robust email filtering to block initial access vectors (phishing emails with attachments). Enable advanced threat protection that can analyze attachment contents.
- Hardening recommendations: Disable execution of scripts (BAT files) from untrusted locations (e.g., using AppLocker or WDAC). Ensure users are trained to scrutinize emails appearing to be from banks. Keep security products (EDR/AV) updated.
## Related Tools/Techniques
- **SnakeKeylogger:** The final stealer payload executed by DBatLoader.
- **Legitimate Utilities Used Maliciously:** `cmd.exe`, `powershell.exe`, `esentutl.exe`, `extrac32.exe` used for defense evasion and file manipulation.
- **Techniques:** DLL Side-Loading (T1574.001), Process Injection (T1055).