Cybersecurity researchers have uncovered a widespread phishing campaign targeting small and medium-sized businesses (SMBs)
in Poland during May 2024, leading to the deployment of various malware families, including Agent Tesla, Formbook, and Remcos RAT. According to cybersecurity firm ESET, similar attacks were also observed in Italy and Romania.
ESET researcher Jakub Kaloč detailed that the attackers used previously compromised email accounts and company servers to not only spread malicious emails but also host malware and collect stolen data. The campaigns, conducted in nine waves, relied on DBatLoader (aka ModiLoader and NatsoLoader) as a malware loader, marking a shift from previous attacks in 2023, which primarily used AceCryptor to distribute Remcos RAT.
The attacks started with phishing emails containing malware-laced RAR or ISO attachments. If an ISO file was attached, it directly executed DBatLoader. If a RAR archive was used, it contained an obfuscated Windows batch script that executed a Base64-encoded ModiLoader, disguised as a PEM-encoded certificate revocation list.
DBatLoader, a Delphi-based downloader, fetched the next-stage malware from Microsoft OneDrive or compromised servers belonging to legitimate companies. Once deployed, Agent Tesla, Formbook, and Remcos RAT enabled attackers to steal sensitive information and lay the groundwork for future attacks.
The rise in attacks against SMBs aligns with findings from Kaspersky, which noted that SMBs often lack robust cybersecurity measures, resources, and expertise, making them easy targets. The most common cyber threat remains Trojan attacks, as these masquerade as legitimate software, making them harder to detect and capable of bypassing traditional security defences.
Key Takeaways for SMBs
Be cautious of email attachments, especially RAR and ISO files. Implement robust cybersecurity measures, including endpoint protection and email security solutions.
Regularly update software and conduct cybersecurity awareness training for employees.
Monitor network activity for unusual access patterns that could indicate malware infection.
With cybercriminals increasingly leveraging phishing and advanced malware loaders, SMBs must strengthen their defenses to mitigate financial and reputational risks.
