An investigation of a file named ‘Albertsons_payment.GZ’ revealed a sophisticated malware delivery chain.

The file, initially disguised as an image, was actually a Windows Cabinet file containing an obfuscated batch script. This script employed string slicing techniques to reconstruct commands and used LOLbins like extrac32.exe to evade detection.

The payload, identified as Modiloader, a Delphi-based malware, was extracted using certutil.exe. The final stage attempted to fetch additional content from a URL, but failed in the analysis environment.

This attack demonstrates the use of complex obfuscation and living-off-the-land techniques to deliver malware.Modiloader is a significant threat that has been observed delivering payload via an obfuscated batch script. The attackers have used various techniques such as string slicing and LOLbins to evade detection. It is crucial for organizations to be aware of this tactic and take necessary measures to prevent attacks.

Threat Assessment

Confidence level: 100%
Reliability of the report: A - Completely reliable
Revoke status: false
Number of connected elements present in the report: 24

Recommendations

1. Implement strict security controls around access to sensitive systems.
2. Regularly update software packages to prevent exploitation by Modiloader or other malware.
3. Monitor activity from known adversary groups, such as those using Obfuscated Batch Files.
4. Implement layered web and network security mechanisms.

Resources

Sans EDU Diary