A new phishing campaign is targeting European organizations trying to distribute the Remcos RAT and Formbook via malware loaders. DBat Loader.
Zscaler researchers Meghraj Nandanwar and Satyam Singh said in a report published Monday that “the malware payload is distributed through WordPress websites that have approved SSL certificates. It’s a common tactic used to avoid.
The findings build on a previous report from SentinelOne last month. This report included phishing emails with malicious attachments masquerading as financial documents to kickstart the infection chain.
Some of the file formats used to distribute the DBatLoader payload involve the use of layered obfuscated HTML files and OneNote attachments.
In response to Microsoft’s decision to block macros in files downloaded from the Internet by default, the exploitation of OneNote files as an initial vector for malware distribution has increased since late last year.
DBatLoader, also known as ModiLoader and NatsoLoader, is a Delphi-based malware that can deliver subsequent payloads from cloud services such as Google Drive and Microsoft OneDrive while employing image steganography techniques to evade detection engines.
One notable aspect of this attack is that it uses a fake trusted directory such as “C:\Windows\System32” (note the trailing space after Windows) to trick User Account Control ( UAC) and escalate privileges.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
The caveat here is that the directory cannot be created directly from within the Windows Explorer user interface, instead an attacker could use a script to perform the task and drop a malicious DLL and a legitimate executable (easinvoker .exe) to be copied to a folder. Vulnerable to DLL hijacking for loading DLL payloads.
This allows attackers to perform elevated activities without warning the user. This includes establishing persistence to avoid scanning and adding the “C:\Users” directory to the Microsoft Defender exclusion list.
To mitigate the risk posed by DBatLoader, we recommend that you consider configuring Windows UAC to monitor and always notify you of process executions that contain filesystem paths with trailing spaces.
