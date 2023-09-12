CityLife

ByVicky Stavropoulou

Sep 12, 2023
Email Campaigns Utilize Updated DBatLoader to Distribute RATs and Stealers

IBM X-Force has discovered an increase in the capabilities of DBatLoader malware samples distributed through email campaigns. This development poses a higher risk of infection from common malware families associated with DBatLoader activity. Since late June, X-Force has identified nearly two dozen email campaigns that utilize the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. These campaigns distribute remote access Trojans (RATs) and infostealers commonly associated with DBatLoader malware.

DBatLoader, or ModiLoader, is a type of malware that has been observed since 2020. It is used to download and execute final payloads in commodity malware campaigns, including RATs and infostealers like Remcos, Warzone, Formbook, and AgentTesla. Cybercriminals often use malicious spam emails to deploy DBatLoader, and they frequently exploit cloud services to stage and retrieve additional payloads. Earlier this year, DBatLoader campaigns focused on distributing Remcos to entities in Eastern Europe and Formbook and Remcos to businesses in Europe.

Remcos, a remote access tool and surveillance program, is commonly used for malicious purposes. It allows unauthorized access to Windows operating systems. Warzone, also known as AveMaria, is a remote access trojan available for purchase on the website warzone[.]ws since 2018. Formbook and AgentTesla are popular information stealers that can be found on underground markets.

In the recent campaigns observed by X-Force, threat actors have improved upon their previous tactics. They have gained control over email infrastructure, allowing malicious emails to pass SPF, DKIM, and DMARC email authentication methods. The majority of these campaigns leverage OneDrive to stage and retrieve additional payloads. Some campaigns utilize transfer[.]sh or new/compromised domains. While most of the email content is aimed at English speakers, X-Force has also noticed emails in Spanish and Turkish.

DBatLoader remains under active development, and its capabilities continue to evolve to increase its effectiveness as a malware delivery mechanism.

Sources:
– IBM X-Force
– warzone[.]ws

