Cybersecurity researchers have detailed widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland during May 2024, which led to the deployment of several malware families, such as Tesla agent, Formand Remcos RAT.
According to cybersecurity firm ESET, some other regions targeted include Italy and Romania.
“The attackers used previously compromised email accounts and company servers not only to distribute malicious emails, but also to host malware and collect stolen data,” ESET researcher Jakub Kalach said in a report released today.
Spread over nine waves, these campaigns are distinguished by the use of a malware downloader named DBatLoader (aka ModiLoader and NatsoLoader) to deliver the final payloads.
The Slovak cyber security company said it marks a move away from previous attacks observed in the second half of 2023, which used a crypto-as-a-service (CaaS) called AceCryptor to distribute Remcos RAT (aka Rescoms).
“In the second half (2023), Rescoms became the most common AceCryptor-packaged malware family,” ESET noted in March 2024. “Over half of these attempts occurred in Poland, followed by Serbia, Spain, Bulgaria and Slovakia.”
The starting point of the attacks were phishing emails with RAR or ISO attachments containing malware that, when opened, activated a multi-step process to download and launch the Trojan.
In cases where an ISO file was attached, this would directly execute DBatLoader. The RAR archive, on the other hand, contained a confusing Windows batch script containing a Base64-encoded ModiLoader executable disguised as PEM-encoded list of revoked certificates.
Based on Delphi, DBatLoader is primarily designed to download and launch the next stage of malware either from Microsoft OneDrive or from compromised servers owned by legitimate companies.
No matter what malware is deployed, the Agent Tesla, Formbook, and Remcos RATs have the ability to sift through sensitive information, allowing threat actors to “set the stage for their next campaigns.”
This comes after Kaspersky discovered that small and medium-sized businesses are increasingly being targeted by cybercriminals due to a lack of robust cyber security measures, as well as limited resources and expertise.
“Trojan attacks remain the most common cyber threat, indicating that attackers continue to target small and medium-sized businesses and prefer malware over unwanted software,” the Russian security vendor said. said the last month.
“Trojans are particularly dangerous because they mimic legitimate software, making them harder to detect and prevent. Their versatility and ability to bypass traditional security measures make them a common and effective tool for cyber attackers.”
