AhnLab SEcurity intelligence Center (ASEC) has recently discovered malware being distributed through CMD files and identified it as a downloader called DBatLoader (ModiLoader) that had been distributed before via phishing emails in RAR file format containing an EXE file.
The file contained “FF, FE” which means “UTF-16LE”, so when the internal code was opened with a text editor, the content of the code was not displayed correctly.
However, if “FF, FE” is deleted or the file is converted to”UTF-8″, the actual code becomes visible.
The file does not run in Korean versions of Windows and is only run in English versions. This is because the default code page used by cmd.exe is different in the two types of OS.
The code itself is obfuscated, and the file contains a Base64-encoded EXE file.
When the CMD file is executed, it uses extrac32.exe, a default Windows program, to save the files cmd.exe and certutil.exe to a shared folder as alpha.exe and kn.exe. Afterward, it decodes the data within the CMD file, changes the file extension to “.pif”, and then executes it.
The key commands are as follows.
certutil -decodehex -F “C:UsersUser10DesktopomittedSample.bat” “C:UsersPublicAudio.mp4” 9
certutil -decodehex -F “C:UsersPublicAudio.mp4” “C:UsersPublicLibrariesAudio.pif” 12
The argument value “-decodehex” is used to decode, and this is a command for decoding hex-encoded data. As the data contained in the CMD file starts with “—–BEGIN X509 CRL—–” (signifies the start of the X.509 certificate revocation list (CRL)), it is not decoded correctly.
However, the data type is force-designated as “9” when being decoded. “9” signifies Base64 being applied between lines with the format “—–BEGIN ——” and “—–END ——”.
Due to this, decoding becomes possible; the decoded data gets hex-decoded, and the type is again set to “12” and then decoded to create DBatLoader. Additionally, the “-decodehex” argument decodes hex data by default.
The decoded DBatLoader is an EXE file compiled in Delphi. It loads the DLL contained inside, gets additional data from an external source, and decodes it before executing it.
Further investigation on the type revealed that it is being distributed in phishing emails as compressed CMD files instead of EXE files, just like the distribution method from the past.
In order to prevent damage, users must practice caution when opening emails from unknown sources. Users must also keep V3 anti-malware programs updated to the latest version, apply security updates for operating systems, and also update internet browsers (IE, Chrome, Firefox, etc.) to the latest version to prevent exposure to vulnerability attacks.
[File Detection]
Dropper/BAT.ModiLoader (2024.06.06.00)
Trojan/Win.ModiLoader.R652278 (2024.06.06.00)
MD5
B9C3113BC5B603809DAC2515DD03E9FA (CMD file)
8304C3170AD657E61B4352D0E7649B97 (DBatLoader)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post DBatLoader Distributed via CMD Files appeared first on ASEC BLOG.