Widespread Phishing Campaigns Targeting SMBs in Poland Unleash Multiple Malware Strains
In May 2024, cybersecurity researchers identified a pervasive series of phishing attacks directed at small and medium-sized businesses (SMBs) in Poland. During these campaigns, threat actors utilized a variety of malware families, including Agent Tesla, Formbook, and Remcos RAT, to compromise systems and extract sensitive information. This alarming trend underscores the urgent necessity for SMBs to bolster their cybersecurity measures.
The campaigns also extended their reach to regions such as Italy and Romania, as detailed by the cybersecurity firm ESET. These attacks primarily involved leveraging previously compromised email accounts and company servers. Jakub Kaloč, an ESET researcher, emphasized the dual nature of the attacks, where malicious emails not only propagated malware but also served as conduits for hosting the malicious payloads and collecting stolen data.
The campaign unfolded in nine distinct phases, showcasing the use of a malware loader known as DBatLoader (also referred to as ModiLoader and NatsoLoader) to deliver the ultimate payloads. This shift in tactics reflects a strategic evolution, moving away from the previously noted attacks that relied on cryptors-as-a-service, such as AceCryptor, to distribute Remcos RAT. ESET reported that Rescoms emerged as the most frequently encountered malware family during the latter half of 2023, with over fifty percent of these incidents reported in Poland.
At the onset of the attacks, phishing emails typically included RAR or ISO attachments containing embedded malware. Opening these attachments initiated a complex sequence designed to download and execute the trojan. For ISO files, instantaneous execution of DBatLoader was triggered, while RAR archives commonly harbored an obfuscated Windows batch script containing a Base64-encoded ModiLoader executable masquerading as a Privacy-Enhanced Mail (PEM)-encoded certificate list.
DBatLoader, developed in Delphi, is engineered to download and execute additional malware from compromised servers or Microsoft OneDrive, facilitating a smoother infiltration process. Regardless of the specific strain unleashed, Agent Tesla, Formbook, and Remcos RAT equip threat actors with the ability to siphon sensitive data, leading to severe long-term repercussions for targeted organizations.
This surge in attacks on SMBs is attributed to their often inadequate cybersecurity infrastructure and limited resources. Kaspersky’s recent analysis reveals that trojan attacks remain the predominant threat, highlighting attackers’ preference for malware that can camouflage itself as legitimate software. Due to the challenging detection landscape, these trojans present a formidable threat, effectively bypassing conventional security protocols.
Potential tactics outlined in the MITRE ATT&CK framework, such as initial access through phishing (T1566), exploitation of vulnerabilities (T1203), persistence mechanisms via malicious software (T1050), and data theft techniques (T1040), could have been integral to the execution of these attacks. Such insights into adversary tactics and techniques underscore the need for heightened awareness and preparedness among SMBs, particularly within the context of evolving cyber threats.
As observed in these campaigns, the capacity for targeted phishing to lead to significant data breaches and operational disruptions is real and increasingly sophisticated. It is imperative for business owners to stay vigilant, invest in robust cybersecurity measures, and remain informed about the latest developments in cyber threats to safeguard their assets and data effectively.
