Stealthy DBatLoader Malware Loader Spreading Remcos RAT and Formbook in Europe

2023-03-28 09:53

A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed DBatLoader.

"The malware payload is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by threat actors to evade detection engines," Zscaler researchers Meghraj Nandanwar and Satyam Singh said in a report published Monday.

Some of the file formats used to distribute the DBatLoader payload concern the use of a multi-layered obfuscated HTML file and OneNote attachments.

The development adds to growing abuse of OneNote files as an initial vector for malware distribution since late last year in response to Microsoft's decision to block macros by default in files downloaded from the internet.

DBatLoader, also called ModiLoader and NatsoLoader, is a Delphi-based malware that's capable of delivering follow-on payloads from cloud services like Google Drive and Microsoft OneDrive, while also adopting image steganography techniques to evade detection engines.

A caveat here is that the directories cannot be directly created from within the Windows Explorer user interface, instead requiring the attacker to rely on a script to accomplish the task and copy to the folder a rogue DLL and a legitimate executable that's vulnerable to DLL hijacking in order to load the DLL payload. This enables the attackers to conduct elevated activities without alerting users, including establishing persistence and adding the "C:Users" directory to the Microsoft Defender exclusion list to avoid getting scanned.

News URL

https://thehackernews.com/2023/03/stealthy-dbatloader-malware-loader.html

#europe #malware #RAT