A recent phishing attack is targeting European groups with the intention of distributing two types of malware, Remcos RAT and Formbook, using a malware loader called DBatLoader.
In a report released on Monday, Zscaler researchers Meghraj Nandanwar and Satyam Singh explained that cyber attackers often use a scheme where they spread malware through WordPress websites that have been authorized to use SSL certificates. This is done with the intention of avoiding detection from security systems.
The recent discoveries expand on a prior report by SentinelOne from last month, which described fraudulent emails with harmful attachments posing as financial records to initiate the spread of the virus.
Different types of file formats that are utilized to distribute the DBatLoader payload include a convoluted HTML file with multiple layers of encryption and attachments in OneNote.
Since Microsoft started blocking macros by default in downloaded files from the internet, there has been an increase in the misuse of OneNote files as a means of initiating malware distribution. The recent update has contributed to this growing trend.
DBatLoader, also known as ModiLoader and NatsoLoader, is a type of malware created with Delphi programming language. This malicious software has the ability to transmit additional harmful payloads from cloud services such as Google Drive and Microsoft OneDrive. Furthermore, it employs image steganography methods to avoid being detected by security engines.
.png)
A significant feature of the assault is the implementation of imitation trustworthy directories, like C:Windows System32 (with an added space after "Windows"), in order to get around User Account Control (UAC) and increase authority.
The point to note is that the Windows Explorer user interface cannot be used to produce directories directly. As a result, the attacker needs to employ a script in order to complete the job and move over a rogue DLL and an authentic executable (known as easinvoker.exe) which is susceptible to DLL attacks into the folder. The act of hijacking is done to load the payload of a DLL.
This allows the assailants to carry out more advanced operations without raising suspicion among users, such as securing a permanent foothold and placing the C:Users folder on the Microsoft Defender exemption list in order to evade detection.
To reduce the potential dangers brought by DBatLoader, it is recommended to supervise actions that involve file system paths ending with blank spaces and to adjust Windows UAC settings to “Always notify”.