Last Updated: 2023-05-30 01:01:59 UTC
by Brad Duncan (Version: 1)
Also known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT, Remcos RAT, or other types of malware. Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-05-29.
I caught the email in one of my honeypot accounts on Monday 2023-05-29 at 4:14 UTC. These messages often spoof companies sending invoices or purchase orders. This campaign didn't appear to be specifically targeted at my honeypot account.
The email contains an ISO image presented as a purchase order. The ISO image contains a Windows executable (EXE) file for ModiLoader. The EXE file icon impersonates an Excel spreadsheet.
This ModiLoader EXE will infect a vulnerable Windows host with Remcos RAT. Let's look at the infection traffic.
The ModiLoader EXE first generated a OneDrive URL using HTTP over TCP port 80. This redirected to an HTTPS version of the same URL over TCP port 443.
The OneDrive URL returned a base64 text file, approximately 4.3 MB in size. I retrieved a copy of it by entering the URL in a web brower.
Shortly after ModiLoader retrieved the base64 text file, my infected host started generating TLSv1.3 infection traffic to a server at 146.70.158[.]105 over TCP port 9138. Online sandbox analysis indicates this is Remcos RAT traffic, so I'm calling 146.70.158[.]105 a Remcos RAT C2 server.
No domain is associated with this Remcos RAT C2 server. Checking it in a web browser revealed the server used a self-signed certificate. No identification fields were used for this self-signed certificate.
At least 49 MB of data was sent from the infected Windows host to the Remcos RAT C2 server, as shown below when viewing TCP conversation statistics of the traffic in Wireshark.
The infected Windows host also checked its location using geoplugin.net, which is a legitimate service.
Forensics on the Infected Windows Host
This infection was made persistent through the Windows registry key at HKCU\sofware\Microsoft\Windows\CurrentVersion\Run. Persistent files were stored in the host's C:\Users\Public\Libraries directory.
Indicators of Compromise (IOCs)
Some headers from the email:
Received: from cp2-de1.host-global[.]net (cp2-de1.host-global[.]net [88.99.82[.]246])
for <[recipient's email address]>; Mon, 29 May 2023 04:14:43 +0000 (UTC)
Received: from ec2-3-135-201-214.us-east-2.compute.amazonaws[.]com ([3.135.201[.]214]:55643)
by cp2-de1.host-global[.]net with esmtpa (Exim 4.96)
Mon, 29 May 2023 06:14:35 +0200
From: PT Sree International Indonesia <info@ptsreint[.]co[.]id>
Subject: New Inquiry/Purchase Order June 2023
Date: 29 May 2023 04:14:33 +0000
Traffic from an infected Windows host:
- 146.70.158[.]105 port 9138 - TLSv1.3 traffic for Remcos RAT
- hxxp://geoplugin.net/json.jp <-- IP address/location check of the infected host
Malware from the infected Windows host:
- File size: 1,638,400 bytes
- File name: Urgent Inquiry_Purchase order June 2023_PDF.iso
- File description: Email attachment, an ISO disk image containing DBatLoader/ModiLoader EXE
- File size: 1,047,552 bytes
- File name: Urgent Inquiry_Purchase order June 2023_PDF.exe
- Persistent file location: C:\Users\Public\Libraries\Dmzsccoi.exe
- File description: ModiLoader EXE
- Analysis: https://tria.ge/230529-vtyr7sdc5x/behavioral2
- Analysis: https://app.any.run/tasks/8f428a98-e2b5-49ae-a073-b4feb6c9f4ca
- Analysis: https://capesandbox.com/submit/status/393224/
- Reference: https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
- File size: 4,289,728 bytes
- File description: Base64 text file retrieved from OneDrive URL generated by ModiLoader malware
- File location: hxxps://onedrive.live[.]com/download?cid=477DD5F55B8A76A6&resid=477DD5F55B8A76A6%21132&authkey=AHpfAKNpV3kAUSU
- File size: 3,217,294 bytes
- File location: C:\Users\Public\Libraries\Dmzsccoi
- File description: Data binary decoded from above base64 text file
- File size: 100 bytes
- File location: C:\Users\Public\Libraries\ioccszmD.url
- File description: URL file persistent through Windows registry
- URL file target: C:\\Users\\Public\\Libraries\\Dmzsccoi.exe
- File size: 68,096 bytes
- File location: C:\Users\Public\Libraries\ioccszmD.pif
- File description: Another Windows EXE used for this infection
This example of ModiLoader/Remcos RAT was not targeted, nor was it particularly sophisticated. Emails using ISO attachments to deliver malware are routinely submitted to VirusTotal. I did a quick search for the last week of ISO attachments in VirusTotal, and I found 15 examples.
A sanitized copy of the email, along with malware/artifacts from the infection, and a packet capture (pcap) of the infection traffic are available here.
brad [at] malware-traffic-analysis.net