Polish Enterprises Targeted by Cybercriminals Using Agent Tesla and Formbook Malware
Cybersecurity analysts have documented extensive schemes of phishing aimed at small and medium-sized enterprises (SMEs) in Poland in the month of May 2024, leading to the distribution of a variety of malware like Agent Tesla, Formbook, and Remcos RAT.
Other areas affected by such operations include Italy and Romania, as per cybersecurity company ESET.
“Assailants utilized previously breached email accounts and company servers not just for disseminating harmful emails but also for hosting malware and gathering pilfered data,” clarified ESET researcher Jakub Kaloč in a lately issued report.
These series of campaigns, spanning nine stages, stand out for employing a malware loader known as DBatLoader (also called ModiLoader and NatsoLoader) to distribute the final malicious payloads.
According to the Slovakian cybersecurity firm, this marks a shift from tactics seen in the latter part of 2023, where a cryptors-as-a-service (CaaS) named AceCryptor was utilized to proliferate Remcos RAT (also known as Rescoms).
“During the latter half of [2023], Rescoms emerged as the most prevalent malware category delivered by AceCryptor,” highlighted ESET in March 2024. “More than half of these incidents were recorded in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia.”
The initiation of these onslaughts involved phishing emails containing malware-infected RAR or ISO attachments which, upon activation, initiated a multi-stage operation to download and execute the trojan.
In occasions where an ISO file was enclosed, it triggered the activation of DBatLoader directly. Whereas, the RAR archive contained a Windows batch script obfuscated around a Base64-encoded ModiLoader executable pretending to be a PEM-encoded certificate revocation list.
A downloader based on Delphi, DBatLoader’s main function is to download and launch the subsequent phase of malware either from Microsoft OneDrive or compromised servers affiliated with legitimate organizations.
Irrespective of the type of malware deployed, Agent Tesla, Formbook, and Remcos RAT possess functionalities to extract sensitive data, enabling the threat actors to “lay the groundwork for their forthcoming campaigns.”
This development coincides with Kaspersky’s disclosure that cybercriminals are increasingly focusing on SMEs due to their inadequate cybersecurity defenses along with restricted resources and expertise.
“Trojan assaults persist as the dominant cyber peril, pointing to cybercriminals continuing to target SMEs and favoring malware over unwanted software,” stated the Russian security provider last month.
“Trojans are especially hazardous as they masquerade as legitimate applications, making them harder to identify and counteract. Their adaptability and knack to evade traditional security protocols establish them as a common and efficient weapon for cyber attackers.”
About Author
