Widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland during May 2024 have been detailed by cybersecurity researchers, which led to the deployment of several malware families like Agent Tesla, Formbook, and Remcos RAT.
A portion of different locales designated by the missions incorporate Italy and Romania, as per network protection firm ESET.
“Assailants utilized recently compromised email records and company servers, not exclusively to spread pernicious messages yet in addition to have malware and collect stolen data,,” ESET researcher Jakub Kaloč said in a report researcher today.
These campaigns, spread across nine waves, are notable for the use of a malware loader called DBatLoader (aka ModiLoader and NatsoLoader) to deliver the final payloads.
This, the Slovakian cybersecurity company said, marks a departure from previous attacks observed in the second half of 2023 that leveraged a cryptors-as-a-service (CaaS) dubbed AceCryptor to propagate Remcos RAT (aka Rescoms).
“During the second half of [2023], Rescoms became the most prevalent malware family packed by AceCryptor,” ESET noted in March 2024. “Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia.”
The starting point of the attacks was phishing emails incorporating malware-laced RAR or ISO attachments that, upon opening, activated a multi-step process to download and launch the trojan.
In situations where an ISO document was attached, it would directly prompt the execution of DBatLoader. The RAR archive, then again, contained an obfuscated Windows batch script encasing a Base64-encoded ModiLoader executable that is veiled as a PEM-encoded certificate revocation list.
A Delphi-based downloader, DBatLoader is fundamentally intended to download and send off the following stage malware from either Microsoft OneDrive or compromised servers having a place with legitimate organizations.
Regardless of what malware is deployed, Agent Tesla, Formbook, and Remcos RAT come with capabilities to siphon sensitive information, allowing the threat actors to “prepare the ground for their next campaigns.”
The advancement comes as Kaspersky uncovered that SMBs are progressively focused on by cybercriminals inferable from their absence of strong cybersecurity measures as well as limited resources and expertise.
“Trojan attacks remain the most common cyberthreat, which indicates that attackers continue to target SMBs and favor malware over unwanted software,” the Russian security vendor said last month.
“Trojans are especially risky on the grounds that they emulate legitimate software, which makes them harder to recognize and prevent.. Their flexibility and capacity to sidestep traditional security efforts make them a prevalent and effective tool for cyber attackers.”
