DBatLoader Distributed via CMD Files

June 27, 2024, 9:56 a.m.

Description

A cybersecurity analysis has identified a malicious operation involving the distribution of a downloader, dubbed DBatLoader or ModiLoader, through CMD files disguised as innocuous files. The campaign leverages phishing emails containing compressed CMD files that, when executed on English-language Windows systems, employ obfuscation and multiple decoding stages to ultimately deploy the malware payload. DBatLoader is a Delphi-compiled executable that loads additional malicious components from external sources, highlighting the persistent threats posed by such stealthy distribution tactics.

External References

https://asec.ahnlab.com/en/67468/
https://otx.alienvault.com/pulse/667d30611295fbf9c7af405f
Tags
stealthy
obfuscation
phishing
2024-06-27
downloader
dbatloader
modiloader

Date

  • Created: June 27, 2024, 9:26 a.m.
  • Published: June 27, 2024, 9:26 a.m.
  • Modified: June 27, 2024, 9:56 a.m.

Attack Patterns

  • ModiLoader
  • DBatLoader
  • T1059.005
  • T1553.005
  • T1059.001
  • T1547.001
  • T1059.007
  • T1204.002
  • T1105
  • T1566.001
  • T1027