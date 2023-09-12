DBatLoader (aka ModiLoader) is a malware strain that has been observed since 2020 used to download and execute the final payload of commodity malware campaigns, namely a remote access tool/trojan (RAT) or infostealer such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader campaigns are frequently undertaken using malicious emails and are known to abuse cloud services to stage and retrieve additional payloads. Earlier this year, DBatLoader campaigns reportedly targeted entities in Eastern Europe to distribute Remcos and businesses in Europe to distribute Remcos and Formbook. Remcos was the most common payload that X-Force observed in these recent campaigns.

Remcos, short for Remote Control and Surveillance, is a remote access tool offered for sale by a company named Breaking Security but is widely used for malicious purposes. Like most such remote tools, Remcos can be used to provide backdoor access to Windows operating systems. Warzone (aka AveMaria), in use since 2018, is a remote access trojan that is also publicly available for purchase at the website warzone[.]ws. Formbook and AgentTesla are popular information stealers that are available on underground markets.

The recent campaigns observed by X-Force that deliver the updated DBatLoader follow and also improve on previously observed tactics. For example, in several observed campaigns the threat actors leveraged sufficient control over the email infrastructure to enable malicious emails to pass SPF, DKIM, and DMARC email authentication methods. A majority of campaigns leveraged OneDrive to stage and retrieve additional payloads, with a small fraction otherwise utilizing transfer[.]sh or new/compromised domains. Most email content appeared targeted toward English speakers, although X-Force also observed emails in Spanish and Turkish.

DBatLoader is still under active development and continues to improve its capabilities. The recently observed samples offer UAC-bypass, persistence, various process injection techniques, and support the injection of shellcode payloads. Furthermore, the signed Windows executable vulnerable to DLL-hijacking (easinvoker.exe), as well as a modified version of netutils.dll, may now be supplied as part of the downloaded payload and config, in order to decrease the size of the DBatLoader stager.

DBatLoader’s most recent iteration also attempts an unexpected technique of DLL hooking. DLL hooking is commonly used to bypass AMSI, however, most of DBatLoader’s current hooking implementations are flawed, rendering it ineffective. The experimental coding style and frequent implementation changes suggest that some of the loader’s functionality is still a work in progress.