Modiloader From Obfuscated Batch File

Dec. 23, 2024, 3:17 p.m.

Description

An investigation of a file named 'Albertsons_payment.GZ' revealed a sophisticated malware delivery chain. The file, initially disguised as an image, was actually a Windows Cabinet file containing an obfuscated batch script. This script employed string slicing techniques to reconstruct commands and used LOLbins like extrac32.exe to evade detection. The payload, identified as Modiloader, a Delphi-based malware, was extracted using certutil.exe. The final stage attempted to fetch additional content from a URL, but failed in the analysis environment. This attack demonstrates the use of complex obfuscation and living-off-the-land techniques to deliver malware.

External References

https://isc.sans.edu/diary/rss/31540
https://otx.alienvault.com/pulse/676964c1fb7dba065286b495
Tags
obfuscation
modiloader
2024-12-23

Date

  • Created: Dec. 23, 2024, 1:25 p.m.
  • Published: Dec. 23, 2024, 1:25 p.m.
  • Modified: Dec. 23, 2024, 3:17 p.m.

Indicators

  • bc4cf21e25e9f429b8ea1fdc17061bc0eff0c1b44d83ff6c5da36c778ce62ade
  • baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d
  • 29bda570966cf934b38ff7b1613f9330709307405391ced5452bd9cc63736331
  • https://swamfoxinnc.com/233_Svcrhpjadgy
  • swamfoxinnc.com
Download all indicators here!

Attack Patterns

  • Modiloader
  • T1553.002
  • T1059.003
  • T1218
  • T1105
  • T1036
  • T1140
  • T1027