Also known as: nModiLoader, NatsoLoader
Category: Malware
Type: loader, dropper
Platform: Windows
Damage potential: Stolen financial information, camera hijacking, taking unauthorized screenshots, adding the victim’s device to a botnet, web injection, keylogging, opening backdoors for other malware (like ransomware)
Overview
DBatLoader (also known as ModiLoader and NatsoLoader) is a Delphi-based loader that often hosts its payloads on legitimate platforms (such as cloud services or WordPress sites with authorized SSL certificates) to evade detection. DBatLoader payloads include WarzoneRAT, Formbook, and Remcos RAT.
Possible symptoms
DBatLoader relies on stealth to deliver its payload — in fact, one of the hallmarks of DBatLoader is its ability to bypass User Account Control (UAC) notifications while performing privilege escalation on the victim’s device. As a result, victims typically notice the payload infection (such as Warzone RAT) first, which tips them off about the presence of DBatLoader.
Possible indicators of a DBatLoader infection include:
- Your device frequently freezes or stutters.
- You realize you’ve been redirected to a fake website after clicking a legitimate link.
- Other malware appears on your device without a known cause.
- Your device’s fan seems to be constantly on, even when the device is idle.
- Your device downloads data from remote servers without any prompting (DBatLoader is downloading second stage installation files or its payload malware).
Sources of infection
DBatLoader is usually distributed through fake attachments in phishing emails. The attachment may contain a misleading link to download DBatLoader or be an installation file in disguise. Once it has taken root in the victim’s system, DBatLoader will attempt to download its payload malware from compromised legitimate websites (i.e., websites with intact SSL certificates) to evade detection.
Your device may also get infected with DBatLoader from:
- Infected files shared through messaging platforms.
- Infected files downloaded from cloud storage or online repositories.
- Other viruses that drop DBatLoader as part of their operations.
- Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
- Peer-to-peer (P2P) sharing of infected files.
- Infected external devices, such as hard drives or USB sticks.
Protection
To protect yourself against DBatLoader, it is a good idea to set UAC to “Always notify” — that way, DBatLoader will not be able to perform privilege escalation in the background. You should also start practicing good cyber hygiene to avoid phishing attacks, which are the most common vector for DBatLoader infections. Learn to recognize spam emails, avoid opening suspicious attachments, and scan any file you download for malware before running it.
Other protective measures include:
- Use email scanning tools to identify and automatically block messages with suspicious attachments.
- Use multi-factor authentication to protect your accounts in the event that someone steals your password using Gootkit.
- Avoid potentially dangerous websites like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including DBatLoader) to your device by exploiting vulnerabilities.
- Use the malware blocker from NordVPN's Threat Protection Pro™, which scans programs and files for malware while they’re being downloaded and stops malicious ones from entering your device. Threat Protection Pro™ also includes a scam and fraud alert that checks the URL of any webpage you visit and instantly alerts you if the URL is identified as a fraudulent site.
Removal
DBatLoader is very difficult to remove manually — it will modify autorun registry keys and create copies of itself in mock trusted directories to achieve a high degree of persistence. The best way to eliminate DBatLoader from your system is to use reliable antivirus software.