The AhnLab Security Intelligence Center (ASEC) uncovered an active malware campaign delivering the ModiLoader Trojan-also known as DBatLoader-via email, targeting Windows users.
The campaign revolves around meticulously crafted phishing emails, primarily written in Turkish and masquerading as official correspondence from a prominent Turkish bank.
The malicious emails typically entice recipients to review their transaction history by opening an attached compressed archive containing a BAT file, which kickstarts the infection process.
Multi-Stage Payload Delivery
Upon opening the BAT file, the script decodes and executes a Base64-encoded payload (x.exe) within the user’s %temp% directory.
This payload, the DBatLoader malware, orchestrates a series of sophisticated evasion and privilege escalation techniques.
It employs several obfuscated BAT scripts-namely 5696.cmd, 8641.cmd, and neo.cmd-alongside files like svchost.pif, netutils.dll, and wxiygomE.pif to bypass security controls and execute the final malicious payload.
One notable evasion technique involves copying cmd.exe as alpha.pif using the Esentutl command and fabricating a Windows \SysWow64 directory (with a deceptive space to mimic a normal system path).
The loader then deploys a program named svchost.pif into this directory, which is actually a renamed copy of the legitimate easinvoker.exe Windows process.
By placing a malicious netutils.dll in the same folder, DBatLoader exploits DLL side-loading, causing the legitimate process to execute malicious code while avoiding detection by security software.
Further, the malware uses the extrac32 command to copy powershell.exe under an inconspicuous name (xkn.pif) and alters Windows Defender’s exclusion paths through Powershell commands.
This ensures subdirectories under “C:” are omitted from real-time protection, significantly decreasing the likelihood of detection and remediation.
SnakeKeylogger Deployment
The attack culminates with the installation of SnakeKeylogger, a potent infostealer developed in .NET.
After evading detection, DBatLoader creates a file named wxiygomE.pif-actually a modified module from the legitimate MercuryMail program.
This process serves as a host for code injection, allowing the keylogger to operate under the guise of a trusted application.
According to the Report, SnakeKeylogger then initiates its core functionality: the surreptitious collection of sensitive information, including system details, keystrokes, and clipboard data.
Exfiltration is conducted using a variety of channels such as email, FTP, SMTP, or, in this campaign, Telegram.
The malware’s configuration includes a Telegram bot token, enabling the automated transmission of stolen data directly to the threat actor’s command-and-control (C2) infrastructure via the Telegram messaging platform.
This campaign exemplifies the layered, evasive strategies contemporary malware leverages, including DLL side-loading, abuse of legitimate Windows processes, and script-based policy manipulation.
ModiLoader’s focus on exploiting legitimate processes makes detection particularly challenging, especially for individual users.
To mitigate such threats, users are strongly advised to exercise caution with unexpected email attachments, particularly those with script-based extensions, and to maintain up-to-date security solutions.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| MD5 | 7fa27c24b89cdfb47350ecfd70e30e93 |
| MD5 | a0a35155c0daf2199215666b00b9609c |
| C2 URL | https://api.telegram.org/bot8135369946:AAEGf2H0ErFZIOLbSXn5AVeBr_xgB-x1Qmk/sendDocument?chat_id=7009913093 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
