ModiLoader Takes Over: Phishing Frenzy Targets Poland
In May, ESET detected extensive phishing campaigns targeting small and medium-sized businesses in Poland, Italy, and Romania. These attacks resulted in the installation of several malicious programs on the victims’ devices, including Agent Tesla, Formbook, and Remcos RAT.
The perpetrators exploited already compromised email accounts and company servers to disseminate malicious emails and to store and collect stolen data. The campaign consisted of nine waves of attacks, utilizing the DBatLoader (ModiLoader) to deliver the malicious software.
The initial attack vector involved phishing emails with attachments in RAR or ISO formats containing malicious files. Opening these attachments initiated a multi-stage process to download and activate the trojans.
In cases with ISO file attachments, the contents included an executable ModiLoader file (named identically or similarly to the ISO file itself), which was executed upon opening.
In cases with RAR file attachments, the archives contained a heavily obfuscated batch script (bearing the same name as the archive) with a “.cmd” extension. The file also included a Base64-encoded ModiLoader executable disguised as a PEM certificate revocation list. The batch script was responsible for decoding and launching the embedded ModiLoader.
File with .cmd extension containing heavily obfuscated batch script (top) that decodes base64-encoded ModiLoader binary (bottom) | Image: ESET
DBatLoader, developed using Delphi, is designed to download and execute the next stage of malicious software from Microsoft OneDrive or compromised company servers. Regardless of the type of malware installed, Agent Tesla, Formbook, and Remcos RAT are capable of stealing sensitive information, including data from browsers and email clients, thereby enabling the perpetrators to lay the groundwork for subsequent attacks.
Related Posts:
- DBatLoader: A Malware Distribution via CMD Files
- Anonymous Italy hacked and deleted the entire 39.4 gigabytes speed camera database
- Russian hackers stole 860,000 euros from Raiffeisen Romanian bank in one night
- APT28’s Cyber Espionage: Targeting Governmental Systems in Ukraine and Poland
- Jellyfish Loader: Stealthy .NET Malware Raises Cybersecurity Concerns
