DBatLoader

DBatLoader, also known as ModiLoader or NatsoLoader, is a Trojan Loader that usually is used to deploy additional malware to compromised systems. The threat is written in Delphi, which is an unusual choice when it comes to creating full-fledged malware – often, threats of this sort are written in C or C++. DBatLoader, in particular, attracted the attention of malware researchers when it was used in one of the largest FormBook propagation campaigns that occurred in June 2020. Although that's the accident that attracted the most attention, the DBatLoader has been used to propagate other high-profile threats in the past – for example, RemcosRAT and the NetWire RAT.

So far, almost all campaigns involving the DBatLoader were executed with the help of fraudulent email messages that contained a corrupted email attachment. Usually, the file attachment is disguised as a legitimate document or spreadsheet, which, when opened, would execute a corrupted macro script designed to deploy the DBatLoader.

Once DBatLoader is active, it would check the computer's network connectivity by trying to ping Microsoft.com – if the task is executed successfully, the DBatLoader will attempt to fetch an encrypted payload from the Command and Control server. The encrypted data will be decoded via key stored in DBatLoader's executable, therefore ensuring seamless execution.

As we already mentioned, the DBatLoader was most used in combination with the FormBook malware recently. Still, it is very likely that copies of this Trojan will be used alongside other threats in the near future. It is recommended to keep your system secure by installing and activating a trustworthy anti-virus software suite.