DBatLoader Malware Drops RATs and Info-Stealers in Europe
Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Zscaler
European entities are being targeted by a fresh phishing campaign aiming to distribute Remcos RAT and Formbook info-stealer through a malware loader called DBatLoader. Zscaler ThreatLabz has detected this new campaign, which employs DBatLoader (aka ModiLoader), during a targeted attack against manufacturing firms and other businesses in European nations through phishing emails. Files used to trigger the download and execution of DBatLoader includes PDF, HTML, OneNote, CAB, and shortcut/LNK files. Batch files fetched by DBatLoader were scripted to take advantage of "a well-known technique of bypassing Windows User Account Control (UAC) called the 'Mock Trusted Directories Method' to escalate privileges without displaying a UAC prompt. This method involves creating a fake directory with extra whitespace and the same name to a legitimate trusted location, such as "C:\Windows \System32", and copying the required files to it," as analyzed by Zscaler researchers.
- AVL_UC8310 - Malicious File Delivering Malware
Anvilogic Use Cases:
- AVL_UC1050 - Malicious Document Execution
- AVL_UC1116 - Executable Create Script Process
- AVL_UC5996 - Modify Windows Defender