Organizations across Europe have been targeted by a novel phishing campaign leveraging the DBatLoader malware loader, also known as NatsoLoader and ModiLoader, to facilitate the distribution of the Remcos RAT and Formbook malware strains, The Hacker News reports.
OneNote and HTML file attachments with multi-layered obfuscation have been used to enable the deployment of the DBatLoader payload, with the attacks utilizing mock trusted directories for User Account Control evasion and privilege escalation, according to a Zscaler report.
Attackers have been required to use a script to create Windows Explorer directories, which would then enable DLL payload loading. Such a process would obfuscate attackers' elevated activities as they establish persistence and evade detection by scanning systems through the inclusion of the "C:Users" directory to the Microsoft Defender exclusion list.
Users have been recommended to track process executions with filesystem paths, as well as set Windows UAC configuration to "Always notify" to avoid DBatLoader compromise.