June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
LockBit Ransomware – Active IOCs
July 31, 2024
Multiple Juniper Networks Junos OS Vulnerabilities
July 31, 2024
LockBit Ransomware – Active IOCs
July 31, 2024
Multiple Juniper Networks Junos OS Vulnerabilities
July 31, 2024
Severity
High
Analysis Summary
Cybersecurity experts have documented widespread phishing attacks targeting small and medium-sized businesses (SMBs) in Poland since May 2024. These campaigns resulted in the distribution of multiple malware families, including Agent Tesla, Formbook, and Remcos RAT. Italy and Romania are among the other countries that the campaigns are aimed at.
Cybersecurity researchers said in a report, “Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data.”
The employment of a malware loader known as DBatLoader (also known as ModiLoader and NatsoLoader) to deliver the final payloads makes these nine-wave assaults noteworthy. This is different from other attacks that were seen in the second half of 2023 which used a cryptors-as-a-service (CaaS) called AceCryptor to spread Remcos RAT (also known as Rescoms). In the latter part of 2023, Rescoms emerged as AceCryptor's most widely distributed malware family. Poland accounted for more than half of all attacks, with Serbia, Spain, Bulgaria, and Slovakia following.
Phishing emails containing malware-laced RAR or ISO files that, when opened, triggered a multi-step process to download and launch the trojan were the initial source of the attacks. The execution of DBatLoader would occur straight when an ISO file was attached. Alternatively, the ModiLoader program, which is Base64-encoded and masquerades as a PEM-encoded certificate revocation list, was enclosed in an obfuscated Windows batch script found in the RAR archive.
DBatLoader is a Delphi-based downloader that is mainly intended to download and initiate the subsequent stage of malware from Microsoft OneDrive or compromised servers that belong to reputable businesses. Agent Tesla, Formbook, and Remcos RAT can steal confidential data, regardless of the malware that is used, allowing threat actors to lay the foundation for their next campaigns.
This development coincides with researchers’ disclosure that SMBs are becoming more and more of a target for cybercriminals due to their deficiency in resources and experience as well as their weak cybersecurity defenses. Trojan attacks continue to be the most prevalent cyber threat, indicating that attackers prefer to target SMBs and use malware rather than unwanted software. Because Trojans imitate genuine software, they are very destructive and difficult to identify and stop. They are a common and useful weapon for cybercriminals due to their adaptability and capacity to get over conventional security measures.
Impact
- Information Theft
- Unauthorized Remote Access
- Security Bypass
Indicators of Compromise
MD5
- f5b352b916a180937ffbd6a8094217d1
- c9c649c1008596aba49ed9a200d94814
- c7f9db206a9e924c08759fc6e7800b5c
- 6567d7fb54a7b8c62a956d8ed74d9844
- 2282a1185993f758e46a54047e5be6fa
- 8e30eee3d60f85d2b5058b949c9dab58
- f11a9dafc2671b5c540ed83eb2031650
- fc03ee8bdd684f8d1330560220de3701
- 2a531b61e38e833a0a68c2a08c0704b2
- 0092b0d4baf6b58610d4cbf8a758bd09
SHA-256
- 4e4a02d4039e3fa7305591479c7c6648878d7eb08d97b813f358c70a088d991c
- 019c35d3197522374f4a68e8b2c7feb4fd4a4d30d0ca061e235596f8d5419848
- a76ce2a01804927ef21bab061950383807089f81054a2eb4f1b38caf9fb640b5
- 6067948183e09e86005f1d85da438eb98ca244b593326e0229033234110773bf
- d11472907d18e4b2bdf9cd161fc07d4e02d9a05815f1fd446594c80bd01a7cf8
- 6c65ecd4d00bf57e05c08cbff03c240f1beecaad62c67839bf3ee6679050f392
- 53e3a7f2467b31f525a97faa4c0ccd6664a8a43bee8592f0d047c9679df2fb0d
- dddd54631af1495a354db65198d47ee6621b29e3f0f8d24996180abe458f2df1
- 72bc9110789eab827bf4c762a844c1f715dfb8c9485d180533810ff74c9a1546
- 554e4d943d3f742fcf75c21ddd251b13c7a4877e5a5cac4da66be5dddabe7e24
SHA-1
- 5dab001a2025aa91d278163f39e7504004354f01
- 9b5af677e565ffd4b15dee283d46c2e60e1e31d8
- 47af4cfc9b250ac4ae8cdd0a2d2304d7cf60aace
- 738cfbe52cff57098818857930a7c1cf01db0519
- 843ce8848bceeef16d07041a97417882dbacb93f
- 31672b52259b4d514e68da5d199225fcfa72352b
- d88b10e4fd487bfcca6a711a9e33bb153674c757
- d7561594c7478c4fe37c26684005268eb582e13b
- e7065ef6d0cf45443def30d3a3a35fd7300c4a56
- f0295f2e46cebffaf7892a5b33ba54122781c20b
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
- Implement network segmentation to limit lateral movement for attackers within the network.
- Implement advanced email filtering to detect and block phishing emails.
- Employ updated and robust endpoint protection solutions to detect and block malware.
- Develop and test an incident response plan to ensure a swift and effective response to security incidents.
- Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
- Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
- Regularly back up critical data and ensure that backup and recovery procedures are in place.
