Widespread phishing attacks targeting small and medium-sized businesses (SMBs) in Poland in May 2024 have been documented by cybersecurity experts. These campaigns resulted in the distribution of multiple malware families, including Agent Tesla, Formbook, and Remcos RAT.
According to cybersecurity firm ESET, Italy and Romania were also targeted by the campaign.
According to the ESET researcher, “Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data,”.
The use of a malware loader known as DBatLoader (also known as ModiLoader and NatsoLoader) to deliver the final payloads makes these nine-wave campaigns noteworthy.
This, the Slovakian cybersecurity company said, marks a departure from the attacks observed in the latter half of 2023, which utilized a cryptor-as-a-service (CaaS) known as AceCryptor to spread the Remcos RAT (also known as Rescoms).
“During the second half of [2023], Rescoms became the most prevalent malware family packed by AceCryptor,” ESET noted in March 2024. “Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia.”
The attacks started with phishing emails containing malware-laced RAR or ISO attachments that, upon opening, activated a multi-step process to download and launch the trojan.
A Delphi-based downloader, DBatLoader is primarily designed to download and launch the next stage malware from either Microsoft OneDrive or compromised servers belonging to legitimate companies.
Regardless of what malware is deployed, Agent Tesla, Formbook, and Remcos RAT come with capabilities to siphon sensitive information, allowing the threat actors to “prepare the ground for their next campaigns.”
The development comes as Kaspersky revealed that SMBs are being increasingly targeted by cybercriminals owing to their lack of robust cybersecurity measures as well as limited resources and expertise.
The Russian security vendor said “Trojan attacks remain the most common cyberthreat, which indicates that attackers continue to target SMBs and favor malware over unwanted software,” .
