In December 2024, AhnLab identified the distribution of ModiLoader malware using a unique CAB header batch file method to bypass email security. The malware is delivered via purchase orders and exploits the CAB compression format to execute malicious commands. Affected: AhnLab SEcurity intelligence Center (ASEC)
Keypoints :
- ModiLoader (DBatLoader) malware identified in December 2024.
- Distributed through purchase orders (PO) using a batch file (*.cmd).
- Abuses CAB compression header format for execution.
- Altered file headers to bypass email security products.
- Malicious batch file executed via command line instructions.
- Users are advised to be cautious with attached files.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: The malware exploits the CAB header format to execute commands.
- T1059 – Command and Scripting Interpreter: The CMD batch file executes commands to extract and run the malware.
- T1200 – Hardware Additions: The use of a compressed file with altered headers to bypass security measures.
Indicator of Compromise :
- [file hash] c4a6a2895bdbfab657a516abf9ce7780
- [file hash] c6fc475a21d8114788d4d0ac4299c317
- [file name] PO_SK336.cmd
- [others ioc] CAB file with MSCF magic header
- Check the article for all found IoCs
Full Research: https://asec.ahnlab.com/en/85834/