- AhnLab Security Intelligence Center (ASEC) confirmed the distribution of malicious code through CMD files and identified it as the DBatLoader (ModiLoader) downloader malware, which was previously distributed in the form of RAR files containing EXE files in phishing emails.
- The CMD file contains the characters “FF, FE” which represent “UTF-16LE” and when opened in a text editor, the code contents are not displayed correctly. However, removing “FF, FE” or converting it to “UTF-8” will display the code correctly.
- The file does not execute on Korean Windows but executes on English Windows due to the difference in Code Page used by cmd.exe in the two operating systems.
- The code itself is obfuscated and there are more details within the file.
https://asec.ahnlab.com/ko/66901/