DBatLoader, also known as ModiLoader and NatsoLoader, is being used in several phishing campaigns to target manufacturing companies and various businesses in European countries. Threat actors are using a variety of forms and methods to distribute final payloads such as Formbook, Remcos RAT, Netwire RAT, and Warzone RAT via DBatLoader.
How DBatLoader stages RATs
According to Zscaler researchers, DBatLoader uses multilayer obfuscation and image steganography techniques to hide the initial stage from detection engines.
It is distributed via phishing campaigns that continuously adapt new distribution techniques. It uses multiple file formats, such as PDF, HTML, ZIP, and OneNote to deliver payloads without getting detected.
The malware drops several executable files, DLLs, and batch files to perform malicious activities. It downloads obfuscated later-stage payloads from public cloud services such as OneDrive and Google Drive.
It bypasses Windows UAC by abusing mock trusted directories and elevates to higher privileges without displaying a UAC prompt.
DBatLoader achieves persistence by creating a copy of itself. It creates a file with .url extension, which executes the dropped malicious payload on the system. The malware uses this file to create an autorun registry key to survive reboots.
Remcos via phishing campaign
To distribute Remcos via DBatLoader, the phishing emails masquerade as payment invoices, quotations, revised order documents, sales orders, and similar items.
The emails deliver a malicious PDF attachment that typically contains a malicious link. On clicking the link, a CAB file is downloaded, which further downloads and executes DBatLoader and Remcos RAT.
Attackers are using a similar attack chain with different phishing emails, all originating from the same WordPress site, using DBatLoader to download Remcos.
Insights into other campaigns
Attackers distribute Formbook with courier-themed phishing emails containing malicious PDFs with embedded links, similar to the Remcos campaign.
However, the payload is downloaded from a WordPress site with the .eu top-level domain and authorized SSL certificate.
In an HTML-based campaign, attackers are using a multi-layered obfuscated HTML file as an attachment that is processed through Base64 JavaScript. It leads to a Base64-encoded ISO file that further deploys and executes DBatLoader.
In the OneNote-based campaign, threat actors embedded the malicious payload behind a fake button and tricked them into downloading and running DBatLoader.
Recommendations
To protect against these attacks, users must remain attentive against phishing attempts and avoid opening attachments from unknown sources. Apart from these, administrators must deploy advanced security measures such as XDR to get comprehensive visibility across endpoints, cloud workloads, and network infrastructure. By adopting these measures, organizations can lower their risk of falling victim to these attacks and safeguard their sensitive data.