Once this is done, the second-stage payload is retrieved from Google Drive or Microsoft OneDrive, one of which has been active for at least a month. When the victim checks this email, they are lured into opening the DBatLoader’s initial stage payload, which is disguised as a LibreOffice, PDF, or MS Office document. The phishing email as seen by SentinelOne These emails include a tar.lz archive containing the DBatLoader executable. The attack commences by sending phishing emails disguised as financial files, such as invoices. ![]() When they are successful in luring users into clicking on the malicious link included in the email’s content, the attackers easily leverage the malware loader, bypass Windows UAC, and drop Remcos RAT. The attackers use emails that seem to have come from authentic sources, such as reputed institutions in their target regions, to lure victims. New Phishing Campaign Delivering Remcos RATĪccording to SentinelOne, scammers are using DBatLoader malware loader to distribute Remcos RAT to businesses and institutions across Eastern Europe. The primary targets of this campaign are organizations in Eastern Europe. ![]() The cybersecurity researchers at SentinelOne have observed a new phishing campaign in which attackers are abusing the Windows User Account Control (UAC) bypass to distribute the DBatLoader and Remcos RAT malware. The phishing attack commences by sending malicious emails disguised as financial files, such as invoices.
0 Comments
Leave a Reply. |