Full Report
In December 2024, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of malware using MS Windows CAB header batch file (*.cmd) with AhnLab’s email honeypot. The malware known as ModiLoader (DBatLoader) was being distributed through purchase orders (PO). The difference from the past cases is that while the current malware uses the *.cmd (batch […]
Analysis Summary
# Tool/Technique: ModiLoader (DBatLoader) CAB Loader Variant
## Overview
ModiLoader (also known as DBatLoader) is a malware loader being distributed using a novel technique that leverages the MS Windows CAB file header structure embedded within a traditional batch file (`.cmd`). This allows the loader to self-extract its payload (an executable) into the `%temp%` directory and execute it, bypassing standard email security checks through header manipulation.
## Technical Details
- Type: Malware Loader (Variant leveraging file format abuse)
- Platform: MS Windows
- Capabilities: Self-decompression via `extrac32`, delivery of a secondary PE file, execution of the payload.
- First Seen: Distribution identified in December 2024.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1204 - User Execution
- T1204.002 - Malicious File
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1027.005 - Compressed Format (Abusing CAB structure within a CMD)
## Functionality
### Core Capabilities
- **Loader Functionality:** The primary purpose is to download or execute subsequent malware payloads (PE files).
- **Self-Extraction:** Utilizes the Windows built-in utility `extrac32` to decompress components embedded within itself.
- **Execution Flow:**
1. Executes the command line, ignoring the initial obfuscated header bytes.
2. Decompresses the embedded CAB structure using `extrac32 "%~f0" "%tmp%\x.exe"`.
3. Executes the resulting executable file: `start "" "%tmp%\x.exe"`.
### Advanced Features
- **File Header Manipulation (Obfuscation):** The malicious file disguises itself as a `.cmd` batch file but contains a valid CAB header structure (`MSCF` magic) necessary for `extrac32` to work.
- **Evasion Tactic:** The archive structure reportedly includes benign data (like an image file header, suspected PNG) prepended to the true CAB structure, likely intended to trick file filtering or automatic inspection systems used by email gateways.
## Indicators of Compromise
- File Hashes:
- MD5: `c4a6a2895bdbfab657a516abf9ce7780`, `c6fc475a21d8114788d4d0ac4299c317`
- File Names: `PO_SK336.cmd` (Example associated with PO scams)
- Registry Keys: N/A (Payload drops to %temp%)
- Network Indicators: C2 or subsequent C2 indicators are not specified in this context, only the initial dropper execution.
- Behavioral Indicators: Execution of command lines invoking `extrac32`. Appearance of new executables in `%tmp%`.
## Associated Threat Actors
- The distributor of this specific variant is not explicitly named in the summary, but previous occurrences of ModiLoader/DBatLoader have been associated with various financially motivated groups.
## Detection Methods
- Signature-based detection: Signatures based on the identified MD5 hashes.
- Behavioral detection: Monitoring for the execution of batch files that call `extrac32` to write an executable file into the `%temp%` directory, especially when combined with suspicious preambles or file headers.
- YARA rules if available: Detection based on the `MSCF` magic header combined with command-line execution patterns within executable files disguised as batch scripts.
## Mitigation Strategies
- **Email Security:** Implement stricter checks on attachments that combine script elements (`.cmd`) with compressed file headers or unusual file structures.
- **Application Control:** Restrict the execution of utilities like `extrac32` or mandate whitelisting for scripts interacting with system utilities in unusual ways.
- **User Awareness:** Educate users to be highly cautious of purchase order (PO) themed emails requesting immediate execution of attached files.
## Related Tools/Techniques
- ModiLoader/DBatLoader (The underlying malware payload)
- File format abuse techniques that rely on legitimate system tools (`extrac32`, `certutil`, etc.) for self-extraction or payload delivery.