DBatLoader: A Malware Distribution via CMD Files
AhnLab Security Intelligence Center (ASEC) has issued a warning regarding the re-emergence of the DBatLoader malware, a notorious downloader known for its historical involvement in phishing campaigns. The malware has resurfaced with enhanced evasion techniques, utilizing a sophisticated distribution mechanism that leverages command files (CMD) to bypass security measures.
Malicious CMD File Characteristics
The CMD files distributing DBatLoader are crafted to evade detection and complicate analysis:
- Encoding Trick: The files start with the byte sequence “FF, FE,” indicating “UTF-16LE” encoding. This prevents the content from being displayed correctly when opened in a text editor. By removing these bytes or converting the file to “UTF-8,” the actual malicious code becomes visible.
- Regional Targeting: The malware is designed to run only on English versions of Windows, as the default code page used by cmd.exe differs between Korean and English OS versions.
Obfuscation and Execution
The CMD files are heavily obfuscated and contain Base64-encoded EXE files. Upon execution, the malware uses the built-in Windows utility extrac32.exe
to extract and rename files, preparing them for execution:
- Extraction and Decoding: The CMD file saves
cmd.exe
andcertutil.exe
asalpha.exe
andkn.exe
in a shared folder. It then decodes the embedded Base64 data, changes the file extension to “.pif,” and executes the resulting file. - Key Commands: The critical commands involved in this process are:
shell
These commands use
certutil
with the-decodehex
argument to decode the hex-encoded data into executable form.
Malware Behavior
The final payload, DBatLoader, is an EXE file compiled in Delphi. It loads an internal DLL, retrieves additional data from an external source, and decodes this data before executing it. This behavior allows the malware to dynamically adjust its actions based on commands from the attacker’s server.
Distribution and Prevention
DBatLoader is being actively distributed via phishing emails, with the malware now packaged in compressed CMD files rather than the more easily detected EXE files. This method leverages the inherent trust in CMD files to bypass email security filters.
To protect against this evolving threat, ASEC recommends the following precautions:
- Email Vigilance: Be cautious when opening emails from unknown or unexpected sources. Phishing remains a primary vector for malware distribution.
- Security Software: Keep anti-malware programs updated to the latest versions to ensure they can detect and block new threats.
- System Updates: Regularly apply security updates for operating systems and internet browsers (e.g., IE, Chrome, Firefox) to close vulnerabilities that could be exploited by malware.