DBatLoader Analysis: Evasive Malware Uses DLL Side-Loading and Anti-Detection Tactics

In a detailed threat analysis, AhnLab SEcurity intelligence Center (ASEC) has uncovered a deceptive malware campaign involving DBatLoader—also known as ModiLoader—being used to deliver SnakeKeylogger through phishing emails posing as Turkish bank communications.

The campaign starts with emails written in Turkish, impersonating a well-known bank and urging recipients to check their transaction history by opening an attachment.

“Users are prompted to open the malicious attachment to check their transaction history,” ASEC reports. “The compressed file contains the BAT malware.”

This BAT file launches a malicious chain reaction, ultimately executing a file named x.exe—the DBatLoader malware—encoded in Base64 and dropped in the %temp% directory.

The core malware (x.exe) triggers a series of obfuscated BAT scripts (5696.cmd, 8641.cmd, neo.cmd) and files including svchost.pif, netutils.dll, and wxiygomE.pif to achieve detection evasion and payload delivery.

Key techniques include:

1. DLL Side-Loading: The loader disguises a malicious DLL (netutils.dll) in the same directory as a renamed legitimate executable (easinvoker.exe) to perform DLL side-loading. “DBatLoader (x.exe) creates a program with the disguised name svchost.pif in the Windows \SysWow64 directory,” notes ASEC. “As a result, the legitimate easinvoker.exe process exhibits malicious behavior.”
2. Anti-Detection Tactics: A fake path like Windows \SysWow64 is used to mimic legitimate system directories. powershell.exe is renamed to xkn.pif and used to exclude all “C:\” subdirectories from Windows Defender’s scan path. “Subdirectories under ‘C:’ are added to Windows Defender’s exclusion paths, achieving the goal of bypassing detection.”

After establishing persistence and obfuscation, the malware proceeds to load SnakeKeylogger into a renamed legitimate process (wxiygomE.pif) derived from MercuryMail’s loader.exe.

“SnakeKeylogger is an Infostealer-type malware developed in .NET. It is known for its data exfiltration methods using emails, FTP, SMTP, or Telegram,” explains ASEC.

SnakeKeylogger collects and exfiltrates sensitive information such as:

• Keyboard inputs
• Clipboard contents
• System details

The malware uses a Telegram bot token to transmit stolen data to its command-and-control (C2) server.

ASEC emphasizes that the attackers cleverly exploit legitimate processes and native Windows tools such as cmd.exe, esentutl.exe, and extrac32.exe to mask their activity.

Related Posts:

• SnakeKeylogger: Stealthy Malware Targets Credentials in Sophisticated Attacks
• Warning: DLL Hijacking in Modern Malware Campaigns
• XorBot Botnet Resurfaces with Advanced Evasion and Exploits, Threatens IoT Devices
• DLL Side-Loading Strikes Again: Yokai Backdoor Bypasses Security
• New Phishing Campaign Utilizes IObit Antivirus to Deliver AsyncRAT Malware