The emails are typically sent to the sales departments of the targets or their main contact email addresses as disclosed online. To make the emails look credible, we observed the threat actors using a variety of techniques.įrom the recipient’s perspective, the phishing emails originate from institutions or business organizations related to the target such that sending an invoice would be realistic. The phishing emails distributing DBatLoader and Remcos have attachments in the form of tar.lz archives that typically masquerade as financial documents, such as invoices or tender documentation.
This report compliments the available information about recent phishing campaigns that distribute Remcos by highlighting the way in which DBatLoader stages the RAT on infected systems. Further, the Ukrainian CERT has recently issued reports on Remcos RAT phishing campaigns targeting Ukrainian state institutions for espionage purposes using password-protected archives as email attachments. Threat actors typically distribute the RAT through phishing emails and stage it on systems using a variety of forms and methods.Įxamples include the use of the TrickGate loader stored in archive files, malicious ISO images, and URLs to VBScript scripts embedded in pictures. The feature-rich RAT Remcos is actively used by threat actors with cybercriminal and espionage motivations. In this blog post, we summarize our observations on these campaigns to equip defenders with the information they need to protect against this threat.ĭBatLoader is characterized by the abuse of public Cloud infrastructure to host its malware staging component.
SentinelOne has been observing phishing campaigns that distribute the Remcos RAT using the DBatLoader malware loader to target predominantly Eastern European institutions and businesses.
0 kommentar(er)
