A newly identified malware strain called ModiLoader, also known as DBatLoader, is actively targeting Windows users via phishing. Attackers send emails written in Turkish that impersonate real Turkish banks and claim to share financial records. These emails include malicious RAR attachments designed to fool victims into opening them. Once opened, the attachments run BAT files that install DBatLoader using Base64 encoding to hide the malware’s presence.
The infection process involves a series of obfuscated scripts with file names like 5696.cmd and neo.cmd, which run silently in the background. These scripts help ModiLoader persist on the system and evade detection by manipulating the environment. Once active, the malware delivers SnakeKeylogger, a dangerous .NET-based program designed to steal sensitive user information. It collects system data, keystrokes, clipboard content, and saved credentials from the infected machine.
SnakeKeylogger sends stolen data to remote attackers using multiple methods, including email, FTP, and even Telegram channels.
ASEC researchers found the malware using a Telegram bot token to send information to a command-and-control server. This makes it extremely difficult to intercept or track the stolen data. Since the malware captures inputs after infection, even newly created passwords and personal details remain vulnerable.
ModiLoader uses advanced evasion tactics to stay hidden from antivirus tools by mimicking trusted Windows programs.
It renames system files and uses strange folder names like “C:\Windows \SysWOW64” to confuse path detection. It also applies DLL side-loading, causing trusted software to run harmful code. Lastly, it disables antivirus protections by changing Windows Defender settings, using disguised PowerShell commands to make itself undetectable.
Reference:
