In May 2024, cybersecurity researchers detailed phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland, leading to the deployment of malware families such as Agent Tesla [Agent Tesla malware is delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers], Formbook, and Remcos RAT. These campaigns also targeted regions like Italy and Romania.
“For as low as $49 on the Darknet, hackers can buy licenses for the new malware, enabling capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files,” cybersecurity firm Check Point said in a report
Attack Methodology
- Phishing Emails: Attackers used compromised email accounts and company servers to spread malicious emails, hosting malware and collecting stolen data.
- Malware Loader: The attacks utilized a malware loader called DBatLoader (aka ModiLoader and NatsoLoader) to deliver final payloads. This represents a shift from the second half of 2023, where AceCryptor was used to propagate Remcos RAT.
Attack Details
- Nine Waves: The campaigns were spread across nine distinct waves.
- Attachments: Phishing emails incorporated malware-laced RAR or ISO attachments. ISO files led to direct execution of DBatLoader, while RAR archives contained an obfuscated Windows batch script with a Base64-encoded ModiLoader executable disguised as a PEM-encoded certificate revocation list.
- DBatLoader Functionality: A Delphi-based downloader designed to download and launch subsequent malware stages from Microsoft OneDrive or compromised legitimate servers.
Malware Impact
- Capabilities: Agent Tesla, Formbook, and Remcos RAT are equipped to siphon sensitive information, preparing the ground for future campaigns by threat actors.
- Prevalence: In the second half of 2023, Rescoms, packed by AceCryptor, became the most prevalent malware family, with over half of the attacks occurring in Poland.
Security Implications
- Targeting SMBs: Cybercriminals increasingly target SMBs due to their limited cybersecurity measures and resources. Kaspersky highlighted that trojan attacks remain the most common cyber threat to SMBs.
- Trojan Threat: Trojans mimic legitimate software, making them harder to detect and prevent. Their versatility and ability to bypass traditional security measures make them a preferred tool for cyber attackers.
Table of Contents [TOC]
In the End,
The phishing campaigns targeting SMBs in Poland underscore the critical need for robust cybersecurity measures. Organizations must update their defenses and educate employees about phishing threats to mitigate these risks effectively. Regular monitoring and advanced security solutions are essential to protect against evolving cyber threats.