A new hacking campaign phishing scam has targeted European entities to distribute Remcos RAT And Form book via a malware loader called DBatLoader.

DBatLoader: What does this malware do?

“The load of malware is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by malicious actors to evade detection engines“, they have said Zscaler researchers Meghraj Nandanwar and Satyam Singh in a report released on Monday.

The findings are based on a previous report by SentinelOne from last month which described phishing emails containing malicious attachments posing as financial documents to trigger the chain of infections.

Some of the file formats used to distribute the DBatLoader payload they involve the use of a multi-layered obfuscated HTML file and OneNote attachments.

The evolution of the matter showsthe growing abuse of the OneNote files as the initial infection vector for malware distribution since last year in response to Microsoft’s decision to block macros by default in files downloaded from the Internet.

DBatLoader, also called ModiLoader and NatsoLoader, is malware based on Delphi which is able to send and receive data from cloud services such as Google Drive and Microsoft OneDrive, while also adopting techniques steganography of the image to evade detection engines.

A curious aspect of the attack is the use of trusted dummy folders as “C:WindowsSystem32” (note the space at the end after Windows) to bypass User Account Control (UAC) and elevate the privileges (to administrator privileges).

A curious thing here is that directories they cannot be created directly from the Windows Explorer user interfacebut require the attacker (or attackers) to rely on on a script to accomplish the task and copy a fraudulent DLL into the folder and a legitimate executable (easinvoker.exe) vulnerable to DLL hijacking to load the DLL payload.

This allows attackers to perform administrator-level tasks without notifying usersincluding establishing persistence and adding the “C:Users” directory to the Microsoft Defender exclusion list to avoid being scanned (basically create other users).

In order not to run the risks represented by DBatLoader, it is recommended to monitor the executions of processes (the famous Windows Task Manager) involving file system paths with spaces at the end and to consider the Windows UAC configuration to have always notifications available.

Besides keeping an eye on processes, how to defend against DBatLoader?

Furthermore, we could discuss the recommended mitigation techniques to protect systems from this threat, such as using up-to-date antivirus solutions and monitoring system abnormal behavior, these “techniques”, we could simply call them “common sense“.

We could also emphasize the importance of keeping software and operating systems up to date to reduce known vulnerabilities, and why not, use third-party antivirus and antimalware software if necessary if Windows Defender is not enough to mitigate the risks.

Some previous similar cases

Besides DBatLoader, the malware Trickbots it is known to use directory forgery and evasion techniques to spread through compromised systems.

In addition, the Emotet malware also used evasion techniques, such as “living off the land”, to avoid being detected by various cybersecurity solutions.

These examples demonstrate the importance of using a combination of security techniques to protect systems, including data protection, user behavior analysis, vendor security auditing, and security patch management.