ESET researchers observed multiple phishing campaigns targeting SMBs in Poland in May 2024, distributing various malware families like Agent Tesla, Formbook, and Remcos RAT.
ESET researchers detected nine notable phishing campaigns during May 2024 in Poland, Romania, and Italy. The campaigns rely on ModiLoader (aka DBatLoader) to deploy the above malware families.
Seven of these campaigns targeted Poland impacting over 21,000 users. Threat actors exploited compromised email accounts and company servers to disseminate malicious emails, host malware, and collect stolen data.
Attackers used previously compromised email accounts and company servers to spread phishing messages, host malware, and collect stolen data.
In the second half of 2023, ESET Research reported on significant phishing campaigns across Central and Eastern Europe, distributing the Rescoms malware protected by AceCryptor. However, in May 2024, the campaigns evolved and attackers switched from AceCryptor to ModiLoader for delivering malware, including Rescoms, Agent Tesla, and Formbook.
The attack chain employed in the campaigns is similar, the targeted companies received an email with a business offer that could be as simple as “Please provide your best price offer for the attached order no. 2405073.”
“Emails from all campaigns contained a malicious attachment that the potential victim was incentivized to open, based on the text of the email. These attachments had names like RFQ8219000045320004.tar (as in Request for Quotation) or ZAMÓWIENIE_NR.2405073.IMG (translation: ORDER_NO) and the file itself was either an ISO file or archive.” reads the report published by ESET. “In campaigns where an ISO file was sent as an attachment, the content was the ModiLoader executable (named similarly or the same as the ISO file itself) that would be launched if a victim tried to open the executable. In the other case, when a RAR archive was sent as an attachment, the content was a heavily obfuscated batch script, with the same name as the archive and with the .cmd file extension. This file also contained a base64-encoded ModiLoader executable, disguised as a PEM-encoded certificate revocation list. The script is responsible for decoding and launching the embedded ModiLoader.”
All the malware employed in the campaigns supports various information-stealing capabilities. Attackers can exfiltrate stolen data via SMTP to a typosquatted domain, experts observed the threat actors using a compromised web server of a guest house in Romania.
“Phishing campaigns targeting small and medium-sized businesses in Central and Eastern Europe are still going strong in the first half of 2024. Furthermore, attackers take advantage of previously successful attacks and actively use compromised accounts or machines to further spread malware or collect stolen information.” concludes the report. “As we presented, there are multiple other malware families like ModiLoader or Agent Tesla in the arsenal of these attackers, ready to be used.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Phishing campaigns)