Cybersecurity researchers have detailed widespread phishing campaigns concentrating on small and medium-sized companies (SMBs) in Poland throughout Might 2024 that led to the deployment of a number of malware households like Agent Tesla, Formbook, and Remcos RAT.
A few of the different areas focused by the campaigns embrace Italy and Romania, in line with cybersecurity agency ESET.
“Attackers used beforehand compromised e mail accounts and firm servers, not solely to unfold malicious emails but additionally to host malware and gather stolen information,” ESET researcher Jakub Kaloč mentioned in a report revealed right now.
These campaigns, unfold throughout 9 waves, are notable for using a malware loader referred to as DBatLoader (aka ModiLoader and NatsoLoader) to ship the ultimate payloads.
This, the Slovakian cybersecurity firm mentioned, marks a departure from earlier assaults noticed within the second half of 2023 that leveraged a cryptors-as-a-service (CaaS) dubbed AceCryptor to propagate Remcos RAT (aka Rescoms).
“In the course of the second half of [2023], Rescoms grew to become probably the most prevalent malware household packed by AceCryptor,” ESET famous in March 2024. “Over half of those makes an attempt occurred in Poland, adopted by Serbia, Spain, Bulgaria, and Slovakia.”
The start line of the assaults was phishing emails incorporating malware-laced RAR or ISO attachments that, upon opening, activated a multi-step course of to obtain and launch the trojan.
In circumstances the place an ISO file was hooked up, it will instantly result in the execution of DBatLoader. The RAR archive, alternatively, contained an obfuscated Home windows batch script enclosing a Base64-encoded ModiLoader executable that is disguised as a PEM-encoded certificates revocation checklist.
A Delphi-based downloader, DBatLoader is primarily designed to obtain and launch the following stage malware from both Microsoft OneDrive or compromised servers belonging to reliable corporations.
No matter what malware is deployed, Agent Tesla, Formbook, and Remcos RAT include capabilities to siphon delicate info, permitting the menace actors to “put together the bottom for his or her subsequent campaigns.”
The event comes as Kaspersky revealed that SMBs are being more and more focused by cybercriminals owing to their lack of strong cybersecurity measures in addition to restricted sources and experience.
“Trojan assaults stay the most typical cyberthreat, which signifies that attackers proceed to focus on SMBs and favor malware over undesirable software program,” the Russian security vendor mentioned final month.
“Trojans are significantly harmful as a result of they mimic reliable software program, which makes them more durable to detect and stop. Their versatility and skill to bypass conventional security measures make them a prevalent and efficient instrument for cyber attackers.”
