Nine phishing attack campaigns leveraging the DBatLoader malware loader, also known as NatsoLoader and ModiLoader, to facilitate the distribution of the Agent Tesla, Formbook, and Rescoms payloads have been launched against small and medium-sized businesses, most of which were in Poland, with others in Italy and Romania also targeted, The Hacker News reports.
Intrusions involved the delivery of phishing emails with malicious RAR or ISO attachments, with the former triggering direct DBatLoader execution and the latter obscuring a Windows batch script with a PEM-encoded certificate revocation list-masquerading DBatLoader executable, an analysis from ESET revealed.
Malicious payloads later retrieved by DBatLoader from hacked servers or Microsoft OneDrive would then enable data exfiltration activities, which would be the foundation of additional illicit activity, ESET researchers said. Such findings follows a Kaspersky report detailing mounting attacks against SMBs due to their limited resources and cybersecurity defenses, with trojans named as the leading threat among such organizations.