New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also known as DBatLoader) malware through phishing emails.

These emails, crafted in Turkish and impersonating a Turkish bank, urge recipients to open a malicious attachment under the guise of checking their transaction history.

Inside the compressed RAR file lies a BAT script that initiates a multi-stage infection process, ultimately deploying SnakeKeylogger, a potent infostealer malware developed in .NET. SnakeKeylogger is notorious for exfiltrating sensitive data such as system information, keyboard inputs, and clipboard content via methods like email, FTP, SMTP, or Telegram.

This campaign exemplifies the growing sophistication of phishing attacks and the urgent need for heightened cybersecurity awareness.

Phishing Emails Distribute Dangerous Malware

The infection begins with the BAT script, which creates and executes a Base64-encoded DBatLoader binary (x.exe) in the Windows Temp directory.

DBatLoader then orchestrates a series of obfuscated and decrypted BAT scripts (5696.cmd, 8641.cmd, and neo.cmd) alongside malicious files like svchost.pif and netutils.dll to evade detection.

Notably, the malware employs DLL side-loading by disguising a malicious program as svchost.pif, mimicking the legitimate easinvoker.exe process, and loading a rogue netutils.dll to execute harmful behaviors.

Additional evasion tactics include copying legitimate system tools like cmd.exe and powershell.exe under disguised names (alpha.pif and xkn.pif) and manipulating Windows Defender exclusion paths to bypass security scans.

Credential Theft Mechanisms

Once evasion is achieved, DBatLoader injects SnakeKeylogger into a legitimate process disguised as wxiygomE.pif, a module of the mercurymail program.

SnakeKeylogger then harvests user credentials and transmits the stolen data to a threat actor-controlled Telegram bot, as revealed by the specific configuration token embedded in the malware.

This intricate chain of exploitation, leveraging legitimate processes and advanced obfuscation, makes detection incredibly challenging for standard antivirus solutions, posing a severe risk to individual users and organizations alike.

The ModiLoader campaign highlights the cunning use of legitimate Windows processes and tools-such as cmd.exe, powershell.exe, esentutl.exe, and extrac32.exe-for malicious purposes like file manipulation and policy changes.

This malware’s ability to blend into normal system operations underscores the importance of proactive security measures.

Users are strongly advised to exercise caution with email attachments, especially those prompting script execution, and to ensure their security software is up to date.

As phishing remains a primary vector for such threats, maintaining a strong sense of cybersecurity hygiene is critical to preventing infection.

The ASEC report serves as a stark reminder of the evolving threat landscape and the need for continuous vigilance against malware designed to steal sensitive information.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!