DBatLoader Malware Juniper Threat Labs Attack Demo

The title of the demo video is shown, featuring a gray background with the title, “DBat Loader Attack Demo” written in green.

It’s possible to protect systems from dangerous DBatLoader attacks. Here’s how.

This episode of Juniper Threat Labs Attack Demo focuses on DBatLoader, particularly dangerous malware currently targeting European companies using phishing emails to lure its victims. This video demonstrates all of the stages of a DBatLoader attack, and how Juniper helps customers protect themselves.

Show more

You’ll learn

  • How to detect, block, and isolate an infected system using Juniper SRX firewall with ATP cloud

  • How Juniper security systems are absolutely critical for protecting against malware attacks

Who is this for?

Security Professionals Network Professionals


0:00 welcome to the Juniper threat Labs

0:02 attack demo series today's subject is

0:04 D-BAT loader malware this video will

0:07 demonstrate how malicious threat actors

0:08 conduct this multi-stage malware attack

0:10 but let's begin first with an

0:13 introduction to D-BAT loader malware

0:15 D-BAT loader is a malicious Windows

0:17 executable PE file with the dot exe

0:19 extension it's particularly dangerous as

0:21 it loads other malware such as form book

0:23 a family of data stealing malware in the

0:26 example you're about to see rather than

0:28 download form book malware debate loader

0:30 instead downloads a remote access Trojan

0:32 or rap rats are malware that permit

0:34 attackers to remotely control the

0:36 infected victim's PC some of the rats

0:38 loaded by D-BAT loader malware include

0:41 remco's rat and net wire wrap in this

0:44 particular attack you will see D-BAT

0:46 loader malware download the remco's wrap

0:49 Additionally the threat actors behind

0:51 this campaign were found to be abusing

0:53 the public Cloud infrastructure

0:55 D-BAT loader malware currently targets

0:57 European companies and uses phishing

0:59 emails to lure its victims the emails

1:02 are deceptive and that they appear to

1:04 come from legitimate companies perhaps

1:06 with which the targeted victim company

1:08 may do business and or may wrongly think

1:11 is the authentic actual company as you

1:14 can see from the attack chain unlike our

1:16 most recent video about Royal ransomware

1:18 D-BAT loader malware has multiple stages

1:21 which help it to hide from some

1:23 detection engines

1:25 the first stage is a phishing campaign

1:27 it begins with an email sent to the

1:29 prospective victim usually about a

1:30 purchase order the email contains a PDF

1:33 attachment that looks like an invoice

1:34 but is actually an image with a

1:36 hyperlink that reads view secured

1:39 document in all caps in the center of

1:41 the dock clicking that results in the

1:44 victim downloading the next stage of the

1:45 attack the malware then downloads a

1:48 cabinet file in the cab file is what to

1:51 the unsuspecting user looks to be

1:53 another PDF this time with the revised

1:55 order but it's not a PDF at all instead

1:58 it's a link file or lnk file disguised

2:02 as a PDF

2:03 link files are Microsoft Windows

2:05 shortcuts they point to another file

2:07 folder or application

2:09 when the lnk file is clicked or

2:11 extracted in this case

2:13 the lek file disguises a PDF because of

2:16 the double extension downloads the D-BAT

2:19 loader executable I.E the next stage and

2:22 executes it with Powershell inside this

2:25 executable is the remco's rat which when

2:27 run injects this rat into the victim

2:29 system's memory

2:31 now with the background on dbat loader

2:33 malware out of the way next up in this

2:35 video Juniper threat Labs demonstrates

2:37 all of the stages of this attack

2:39 afterward if a system were to be

2:41 compromised such as buy a zero day

2:43 attack

2:44 let's say such as when the D-BAT loader

2:47 first appeared in the wild

2:48 Juniper makes it easy for its customers

2:50 to provide protection for the rest of

2:52 the network

2:53 we'll show you how you can detect block

2:55 and isolate an infected system using a

2:57 juniper SRX firewall with ATP cloud

3:01 let's get started we're demonstrating

3:04 this attack in a contained environment

3:05 to show how it works the victim here

3:08 received a phishing email from the

3:09 malicious threat actor with an

3:11 attachment entitled revised order

3:14 document.pdf

3:16 the malicious threat actor used a real

3:18 company in the email footer so we are

3:20 obscuring that from view we start

3:22 Wireshark and process monitor to show

3:24 you the network activity and process

3:26 activity on the victim system

3:32 when the unsuspecting victim opens the

3:35 PDF attachment it looks like he or she

3:37 has received a valid purchase order the

3:40 user is duped into believing that in

3:42 order to view the actual secured

3:44 document he or she must click on view

3:46 secured document

3:48 [Music]

3:55 as soon as the user clicks this the

3:57 malware goes to that URL and downloads

4:00 revised underscore order underscore

4:02 document.cab this cabinet file contains

4:05 an lnk file inside it disguised as a PDF

4:09 foreign

4:13 [Music]

4:27 is viewing file names it appears to have

4:29 a PDF extension but it doesn't notice

4:32 under the file name Windows indicates

4:34 the file is a quote unquote shortcut

4:36 when the victim unwittingly opens the

4:39 file he or she is prompted to extract

4:41 the file in this case the victim decides

4:43 to extract the file to the downloads

4:45 folder

4:46 navigating to the downloads folder the

4:48 victim user double clicks the extracted

4:50 file because it is a link file rather

4:53 than a PDF the contents of the link file

4:55 instruct the victim system to run a

4:57 Powershell command that downloads and

4:59 installs dbat loader in the process

5:01 monitor you can see Powershell here is

5:04 running

5:07 and here too in process monitor

5:09 highlighted in green is the remco's rat

5:11 or remote access Trojan here it is named

5:14 file.exe and for the purposes of

5:16 deception has a PowerPoint icon

5:20 file.exe the remkos rat was run after

5:23 the Powershell script retrieved and ran

5:25 another file

5:27 checking wireshark's output we see both

5:29 files that were downloaded with HTTP get

5:31 requests in this attack the second one

5:34 downloaded with the highlighted long

5:36 unpronounceable name is the dbat loader

5:38 malware

5:39 that once executed injects file.exe aka

5:43 the remco's remote access Trojan into

5:45 the victim's system

5:53 now we will simulate the dbat loader

5:55 malware attack again but this time the

5:57 victim is protected with the Juniper SRX

5:59 firewall in Juniper ATP Cloud even so

6:02 for this part of the video we want to

6:04 demonstrate how Juniper connected

6:06 Security Solutions can detect block and

6:08 isolate an infected system

6:10 in order for us to demonstrate that be

6:12 aware that the malware has to initially

6:14 go undetected for the demo Juniper

6:17 threat Labs is using the following setup

6:19 we have a vsrx picture in the center the

6:22 vsrx is a virtual SRX firewall providing

6:24 network security protection its purpose

6:27 is to inspect Network traffic and with

6:29 the assistance of juniper ATP Cloud to

6:31 detect malware like D-BAT loader in

6:34 addition to the virtual firewall and

6:35 cloud-based protections we're using the

6:37 Juno space security director which is a

6:40 centralized management system

6:42 security director facilitates our

6:44 configuring and monitoring of the vsrx

6:46 firewall and we are using Juniper's Juno

6:49 space policy enforcer as well Juniper's

6:51 Juno space policy enforcer enforces

6:53 security policies on endpoints and

6:55 ensures they comply with corporate

6:57 security standards

6:58 pictured as well are several Windows

7:00 workstations Each of which is connected

7:02 to the vsrx

7:04 there is a Ubuntu Server which is acting

7:06 as the malware download server we will

7:09 be using one of the windows hosts as a

7:11 jump station to connect to the victim's

7:13 host using RDP and from there launching

7:16 the attack

7:17 before we proceed with the D-BAT loader

7:19 attack simulation let's first take a

7:21 look at the threat prevention policy

7:23 that we've set up on our security

7:24 director and applied to the vsrx

7:29 [Music]

7:33 to access the policy we'll navigate to

7:35 the configure Tab and then select threat

7:38 prevention and policies

7:45 as you can see we already have an

7:47 existing policy in place let's further

7:49 inspect the protections being enforced

7:51 by the applied policy for this demo our

7:54 policy is configured to block command

7:56 and control traffic at Threat Level 8

7:57 and above

7:59 we've also set it up to block infected

8:01 hosts at Threat Level 8 and above

8:03 additionally we've configured our policy

8:05 to use ATP Cloud for malware detection

8:08 and as you can see we've elected to scan

8:10 both HTTP downloads and email

8:12 attachments

8:14 finally we've chosen to block any and

8:16 all threats rated at level 7 and above

8:20 this threat prevention policy applied to

8:22 the Juniper vsrx firewall is a critical

8:24 component of our defenses protecting our

8:27 systems against malware related attacks

8:29 including D-BAT loader it allows us to

8:31 detect and block malicious traffic as

8:33 well as the activity of potentially

8:36 infected hosts which will then prevent

8:38 the spread of malware throughout our

8:39 Network in the event that one of our

8:41 systems gets compromised

8:44 acting as would-be malicious threat

8:46 actors for the demo we now connect to

8:48 the victim system vrdp

8:59 to confirm that we have internet

9:01 connectivity we visit Wikipedia and

9:03 YouTube

9:05 [Music]

9:15 later we will show you that once the

9:17 vsrx has identified this host as being

9:19 infected it will then be isolated from

9:21 the network once that occurs this

9:23 infected host will be prevented by the

9:25 Juniper connected Security Solutions

9:27 from using the internet connection

9:33 recall that for the attack the targeted

9:35 victim was sent a phishing email with a

9:37 PDF attachment

9:38 in opening the victim's email here it is

9:44 next we start Wireshark to show the

9:46 network activity specifically we will

9:49 want to look at the HTTP activity which

9:51 will show the malicious file downloads

9:57 thank you

9:59 [Music]

10:03 simulating the victim we open the

10:06 malicious PDF attachment we then click

10:09 on the malicious URL on the file

10:11 and when we do it downloads the cabinet

10:14 file

10:23 the victim then extracts the file inside

10:25 which is a link file the lnk file

10:28 disguised as a PDF

10:47 as soon as we double click on the

10:49 malicious link file which invokes

10:51 Powershell the malware downloads the

10:53 malicious D-BAT loader executable

10:56 let's check this out in Wireshark

10:59 the bottom most HTTP get request shows

11:02 the effect of clicking on the lnk file

11:04 disguised as a PDF namely the retrieval

11:07 of D-BAT loader

11:09 though there was no sandbox analysis

11:11 performed at any stage of the attack

11:13 sequence and had there been then we

11:15 wouldn't have gotten this far even so at

11:17 this point Juniper SRX with the help of

11:19 ATP

11:20 has detected the attack to show that the

11:23 attack was detected by SRX we go over to

11:25 our security director from the monitor

11:28 tab we click on threat prevention and

11:30 then HTTP file download

11:34 doing that we see that there was a file

11:35 downloaded from

11:37 silverline.com.sg that was detected at

11:39 Threat Level 10.

11:42 you may recognize that file name by now

11:44 as you have seen it several times in

11:46 this video that's the D-BAT loader

11:48 malware executable

11:50 by clicking on that row we can view

11:52 detailed information about this malware

11:53 including static analysis to Juniper

11:56 performs on the malware

11:58 [Music]

12:01 we also see Behavior Analysis

12:04 and

12:09 network activity

12:11 as we'd said earlier D-BAT loader is

12:13 making use of the public Cloud

12:15 infrastructure this here is a Microsoft

12:17 owned IP address

12:19 thank you and security director we can

12:22 also see the malware's behavior details

12:27 and we can look at the miter attack

12:29 vectors that it uses

12:34 [Music]

12:41 next and again using Juno space security

12:43 director this time we'll look at the ATP

12:45 Cloud host tab here we can show you that

12:48 the infected victim system has been

12:50 added to the set of infected hosts as

12:52 the host was identified at Threat Level

12:54 9.

12:56 clicking in on the host we can learn

12:58 more earlier recall that we'd configured

13:01 the vsrx to block hosts at Threat Level

13:03 8 and above that explains why the vsrx

13:06 smartly blocked this infected host in

13:09 this case Juniper security director

13:10 tells the security admin that it was

13:12 blocked as a result of a malicious file

13:14 download

13:25 if we go back to our victim host you can

13:27 see that it no longer has internet

13:28 connectivity

13:35 foreign

14:08 [Music]

14:12 once we're sure that the devat loader

14:14 infected host is free from infection

14:16 we'll want to restore the infected

14:18 system back to the network

14:20 to do so we go to security director and

14:23 click on the infected host

14:25 to the right of the investigation status

14:27 we select resolved fixed

14:30 afterwards the host status is now clean

14:33 and the host is connected once again to

14:36 the network enabled operate as before

14:58 now that the infection has been resolved

15:01 we can verify that the host is back

15:02 online by pinging systems on the

15:04 internet and by visiting sites like

15:06 YouTube through the browser both of

15:09 which demonstrate restored connectivity

15:14 [Music]

15:17 that completes our demo of D-BAT loader

15:19 malware check out more videos from the

15:20 Juniper threat Labs attack demo series

15:22 by visiting juniper.net thanks for

15:24 watching

Show more