HQ/EMEAFind out how we can help your business
Several phishing campaigns have employed the DBatLoader malware to target businesses, manufacturing firms, and other entities in European countries. The actors use tactics and methods to disseminate last stage-payloads, such as Remcos RAT, Warzone RAT, Netwire RAT, and Formbook through DBatLoader.
Researchers explained that DBatLoader adopts multi-staged obfuscation and image steganography tactics to obfuscate the initial stage and bypass security detection solutions.
Moreover, the actors distribute these payloads through phishing campaigns that constantly employ new distribution strategies. Research revealed that the phishing operation uses several file formats, such as ZIP, OneNote, HTML, and PDF, to deliver payloads discreetly.
The malware launches multiple executable files, batch files, and DLLs to run illegal activities. Next, the malware downloads obfuscated final-stage payloads from public cloud services like Google Drive and OneDrive.
It then avoids the detection of Windows UAC by exploiting mock trusted directories and acquiring higher privileges without providing a UAC prompt.
DBatLoader establishes persistence by generating a copy of itself. The payload delivery tool creates an archive with a [.]url extension that operates the dropped RAT on the system. It also uses this archive to develop an autorun registry key to maintain its presence in the system after reboots.
DBatLoader primarily delivers Remcos RAT.
According to investigations, the DBatLoader operation uses phishing emails that impersonate several subjects like payment invoices, sales orders, and quotations to distribute Remcos.
These emails deliver a compromised PDF attachment that commonly contains infectious links. Once a target clicks the attached link, it will eventually download a CAB file that could further download and execute DBatLoader, and Remcos RAT.
Numerous threat groups have adopted a similar attack process with different phishing emails. Most of this attack originates from a WordPress website that uses DBatLoader to download Remcos RAT.
Cybersecurity experts stated that users should be more attentive to compromised emails and avoid accessing links attached from unknown sources to protect against such threats. Admins should also deploy a more competent security measure like XDR to acquire comprehensive visibility across endpoints, network infrastructure, and cloud workloads.
