Threat actors are using the DBatLoader malware campaign to target businesses in Europe with Remcos Remote Access Trojan (RAT) and Formbook.
In a report, Zscaler ThreatLabz security researchers revealed a new campaign involving DBatLoader, that was specifically targeting businesses in European countries through phishing emails.
During the research, it was found that the malware payload was being distributed through WordPress websites that have authorized SSL certificates, which, the security researchers noted, was a “common tactic used by threat actors to evade detection engines.”
Through the investigation, the researchers also noted several ways the threat actor used phishing emails to distribute Remcos RAT and Formbook via DBatLoader.
DBatLoader malware campaign targets Europe
According to a blog post by SentinelOne, the phishing campaign using DBatLoader exploits the public Cloud to host malware.
The phishing emails were found carrying decoy attachments in tar. lz archives that look like financial documents, invoices, tenders, etc.
The attachments appear to be in Microsoft Office, LibreOffice, or PDF format with double extensions or application icons. The sender of the phishing emails seemed to come from credible institutions or businesses.
It was observed that the phishing emails were often sent to sales executives of European companies or the emails mentioned on the company’s social media platforms. Moreover, to look legitimate, the emails were sent from hacked private and public email account services known to the target.
How the payload of DBatLoader targeting Europe works
Most of the phishing emails with the DBatLoader targeting Europe were from well-known domains. The text in the emails was either not in the language of the targeted country or was entirely missed in the communications.
Upon decompressing the attachments, DBatLoader downloaded and executed on a cloud platform. DBatLoader then created a Windows batch script in the &Public%\Libraries directory.
It then bypassed the Windows user account control and created fake trusted directories to perform additional tasks without being detected by the user of the device.
DBatLoader was also found to evade detection by adding the C:\Users directory to the Microsoft Defender exclusion list. It would then escape being scanned.
DBatLoader targeting Europe was found to maintain persistence across systems by copying itself in the %Public%\Libraries directory. Remcos was executed after creating an autorun registry key – HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run that executes the DBatLoader.
Remcos RAT and FormBook used to target European enterprises
Remcos RAT has been found circulated among targets via phishing emails titled ‘Purchase Order SZ5-9-020.’ It comes in the email with a message saying, “View Secured Document,” to seem legitimate and official.
The FormBook information-stealing malware has been found to spread to users via malvertising and it can capture keystrokes, harvest account credentials, and load additional malware.