A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed DBatLoader. Zscaler researchers Meghraj Nandanwar and Satyam Singh said in a report published Monday that "The malware payload is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by threat actors to evade detection engines." The findings build upon a previous report from SentinelOne last month that detailed phishing emails containing malicious attachments that masquerade as financial documents to activate the infection chain. Some of the file formats used to distribute the DBatLoader payload concern the use of a multi-layered obfuscated HTML file and OneNote attachments. The development adds to growing abuse of OneNote files as an initial vector for malware distribution since late last year in response to Microsoft's decision to block macros by default in files downloaded from the internet. DBatLoader, also called ModiLoader and NatsoLoader, is a Delphi-based malware that's capable of delivering follow-on payloads from cloud services like Google Drive and Microsoft OneDrive, while also adopting image steganography techniques to evade detection engines. One notable aspect of the attack is the use of mock trusted directories such as "C:\Windows \System32" (note the trailing space after Windows) to bypass User Account Control (UAC) and escalate privileges.
top of page
bottom of page