DBatLoader is a two-stage malware loader written in Delphi. During the initial step, the malware establishes a connection with a predetermined Cloud-based service. In some of the observed instances, Google Drive was used and fetched a follow-up loader. In its second stage, the actual payload is delivered to the victim's machine and then executed. In most cases, the payload delivered by DBatLoader is a FormBook, an Infostealer Trojan, but in past campaigns, cybersecurity researchers have noticed the presence of different RATs (Remote Access Trojans) such as Netwire RAT or RemcosRAT.
The main distribution method in the hacker campaigns involving DBatLoader is a spam email campaign with the malware being hidden in the attached compromised files. The spam campaigns may use social-engineering tricks to target specific geographic regions or groups of people to increase the chances of the unsuspecting users downloading and executing the malware-laced email attachments.
Security researchers reverse-engineered the DBatLoader and managed to extract the underlying code. They discovered that the malware had four main functions responsible for preparing the payload by extracting, decrypting, and executing it on the victim's computer. Once the payload is ready, the DBatLoader maps it on a previously allocated portion of memory and executes it, thus starting the cybercriminals' nefarious process.