DBatLoader: A Malware Distribution via CMD Files

AhnLab Security Intelligence Center (ASEC) has issued a warning regarding the re-emergence of the DBatLoader malware, a notorious downloader known for its historical involvement in phishing campaigns. The malware has resurfaced with enhanced evasion techniques, utilizing a sophisticated distribution mechanism that leverages command files (CMD) to bypass security measures.

Phishing email distributing DBatLoader | Image: ASEC

Malicious CMD File Characteristics

The CMD files distributing DBatLoader are crafted to evade detection and complicate analysis:

• Encoding Trick: The files start with the byte sequence “FF, FE,” indicating “UTF-16LE” encoding. This prevents the content from being displayed correctly when opened in a text editor. By removing these bytes or converting the file to “UTF-8,” the actual malicious code becomes visible.
• Regional Targeting: The malware is designed to run only on English versions of Windows, as the default code page used by cmd.exe differs between Korean and English OS versions.

Obfuscation and Execution

The CMD files are heavily obfuscated and contain Base64-encoded EXE files. Upon execution, the malware uses the built-in Windows utility extrac32.exe to extract and rename files, preparing them for execution:

• Extraction and Decoding: The CMD file saves cmd.exe and certutil.exe as alpha.exe and kn.exe in a shared folder. It then decodes the embedded Base64 data, changes the file extension to “.pif,” and executes the resulting file.
• Key Commands: The critical commands involved in this process are:
  shell

  certutil -decodehex -F “C:\Users\User10\Desktop\omitted\Sample.bat” “C:\\Users\\Public\\Audio.mp4” 9
  
  certutil -decodehex -F “C:\\Users\\Public\\Audio.mp4” “C:\\Users\\Public\\Libraries\\Audio.pif” 12

  These commands use certutil with the -decodehex argument to decode the hex-encoded data into executable form.

Malware Behavior

The final payload, DBatLoader, is an EXE file compiled in Delphi. It loads an internal DLL, retrieves additional data from an external source, and decodes this data before executing it. This behavior allows the malware to dynamically adjust its actions based on commands from the attacker’s server.

Distribution and Prevention

DBatLoader is being actively distributed via phishing emails, with the malware now packaged in compressed CMD files rather than the more easily detected EXE files. This method leverages the inherent trust in CMD files to bypass email security filters.

To protect against this evolving threat, ASEC recommends the following precautions:

• Email Vigilance: Be cautious when opening emails from unknown or unexpected sources. Phishing remains a primary vector for malware distribution.
• Security Software: Keep anti-malware programs updated to the latest versions to ensure they can detect and block new threats.
• System Updates: Regularly apply security updates for operating systems and internet browsers (e.g., IE, Chrome, Firefox) to close vulnerabilities that could be exploited by malware.