Extracting Malware Secrets from Obfuscated Batch File

2024-12-23

This blog post analyzes a malicious file named Albertsons_payment.GZ received via email. The file is a Windows Cabinet file disguised as an image file. It contains a picture that mimics a document, a file with strange characters, and a heavily obfuscated batch file (.cmd file). We will analyze the deobfuscation process and the malware’s behavior.

What Undercode Says: Analytic of the Malware

The malware analyzed in this blog post is a clever piece of work. It utilizes multiple techniques to evade detection and achieve its goals. Let’s break down the techniques used in this malware:

1. Social Engineering: The email containing the Albertsons_payment.GZ file is likely a phishing attempt. The attackers are hoping the recipient will be tricked into opening the attachment because it appears to be a legitimate document from Albertsons.

2. Multiple Obfuscation Techniques: The malware uses multiple techniques to obfuscate its code and make it difficult to analyze. This includes using a Windows Cabinet file disguised as an image file, string slicing to deobfuscate commands in the batch file, and using LOLbins (legitimate programs for malicious purposes) to avoid suspicion.

3. Multi-stage Malware: The malware is a multi-stage malware. The initial batch file downloads the next stage payload, which is a Delphi-based malware called Modiloader. This technique makes it more difficult to analyze the entire malware at once and can help attackers bypass security measures that only look for specific signatures.

4. LOLbins Abuse: The malware leverages LOLbins, legitimate system utilities, to perform malicious tasks. In this case, it uses extrac32.exe to copy itself and certutil.exe to decode the next stage payload. Abusing LOLbins makes it difficult to detect the malware because these programs are trusted by the operating system.

5. Network Communication: The malware attempts to download the next stage payload from a remote server. This suggests that the attackers may have a command and control server where they can update the malware and deliver new payloads.

Conclusion

The malware analyzed in this blog post is a sophisticated example of how attackers are using multiple techniques to evade detection and deliver malware. It is important to be aware of these techniques and to be cautious about opening attachments from unknown senders. Additionally, security software that can detect malicious behavior and network traffic is essential to protect against these types of attacks.