Friday, March 29, 2024
HomeSECURITYDBatLoader loader flooded European organizations with malicious software

DBatLoader loader flooded European organizations with malicious software

-


DBatLoader loader flooded European organizations with malicious software

Bypassing UAC by imitating trusted directories allows malware to permanently reside on the victim’s computer.

New phishing campaign distributes RemcosRAT malware and Formbook across European businesses through a malware loader dubbed DBatLoader.

“The DBatLoader malware payload propagates through WordPress websites with authorized SSL certificates, a popular tactic used by attackers to evade detection mechanisms,” Zscaler researchers said in a blog post. his report published March 27th.

The researchers’ conclusions are based on report SentinelOne on March 6, which details phishing emails containing malicious attachments disguised as financial documents.

DBatLoader, also known as ModiLoader and NatsoLoader, is a Delphi-based malware capable of delivering additional payloads from cloud services such as Google Drive and Microsoft OneDrive, as well as using image steganography techniques to bypass detection mechanisms.



RemcosRAT and Formbook delivery scheme via DBatLoader loader

One notable aspect of the attack is the use of spoofing trusted directories such as “C:\Windows\System32” (note the space at the end after “Windows”) to bypass UAC (UAC) and automatic elevation of malware privileges.

This allows attackers to perform malicious actions with elevated privileges without alerting users. This includes setting system persistence and adding the C:\Users directory to the Microsoft Defender exclusion list to avoid malware scans and detections.

To reduce the risks associated with DBatLoader, Windows users are advised to monitor the execution of suspicious processes from system folders with a space added to the name, and also set Windows UAC to “Always notify”.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular