Today > 2 Critical | 5 High | 12 Medium | 1 Low vulnerabilities   -   You can now download lists of IOCs here!

Modiloader From Obfuscated Batch File

Dec. 23, 2024, 3:17 p.m.

Description

An investigation of a file named 'Albertsons_payment.GZ' revealed a sophisticated malware delivery chain. The file, initially disguised as an image, was actually a Windows Cabinet file containing an obfuscated batch script. This script employed string slicing techniques to reconstruct commands and used LOLbins like extrac32.exe to evade detection. The payload, identified as Modiloader, a Delphi-based malware, was extracted using certutil.exe. The final stage attempted to fetch additional content from a URL, but failed in the analysis environment. This attack demonstrates the use of complex obfuscation and living-off-the-land techniques to deliver malware.

Date

Published: Dec. 23, 2024, 1:25 p.m.

Created: Dec. 23, 2024, 1:25 p.m.

Modified: Dec. 23, 2024, 3:17 p.m.

Indicators

bc4cf21e25e9f429b8ea1fdc17061bc0eff0c1b44d83ff6c5da36c778ce62ade

baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d

29bda570966cf934b38ff7b1613f9330709307405391ced5452bd9cc63736331

https://swamfoxinnc.com/233_Svcrhpjadgy

swamfoxinnc.com

Attack Patterns

Modiloader

T1553.002

T1059.003

T1218

T1105

T1036

T1140

T1027