[ad_1]
ESET Analysis
ESET researchers detected a number of, widespread phishing campaigns focusing on SMBs in Poland throughout Could 2024, distributing varied malware households
30 Jul 2024
•
,
8 min. learn
Only a few months again, ESET Analysis revealed a blogpost about large phishing campaigns throughout Central and Jap Europe carried out through the second half of 2023. In these campaigns Rescoms malware (also called Remcos), protected by AceCryptor, was delivered to potential victims with the targets of credential theft and potential achieve of preliminary entry to firm networks.
Phishing campaigns focusing on the area didn’t cease in 2024. On this blogpost we current what latest phishing campaigns seemed like and the way the selection of supply mechanism shifted away from AceCryptor to ModiLoader.
Key factors of this blogpost:
ESET detected 9 notable ModiLoader phishing campaigns throughout Could 2024 in Poland, Romania, and Italy.
These campaigns focused small and medium-sized companies.
Seven of the campaigns focused Poland, the place ESET merchandise protected over 21,000 customers.
Attackers deployed three malware households by way of ModiLoader: Rescoms, Agent Tesla, and Formbook.
Attackers used beforehand compromised e mail accounts and firm servers, not solely to unfold malicious emails but additionally to host malware and acquire stolen information.
Overview
Though the phishing campaigns have been ongoing all through the primary half of 2024, this blogpost focuses simply on Could 2024, as this was an eventful month. Throughout this era, ESET merchandise protected over 26,000 customers, over 21,000 (80%) of whom had been in Poland. Along with Poland, the place over 80% of potential victims had been positioned, Italy and Romania had been additionally focused by the phishing campaigns. In complete we registered 9 phishing campaigns, seven of which focused Poland all through Could, as may be seen in Determine 1.
Determine 1. Hits of ModiLoader phishing campaigns in Poland throughout Could 2024
As compared with the campaigns that happened through the finish of 2023, we see a shift away from utilizing AceCryptor as a device of alternative to guard and efficiently ship the malware. As an alternative, in all 9 campaigns, attackers used ModiLoader (aka DBatLoader) as the popular supply device of alternative. The ultimate payload to be delivered and launched on the compromised machines diverse; we’ve detected campaigns delivering:
Formbook – info stealing malware found in 2016,
Agent Tesla – a distant entry trojan and knowledge stealer, and
Rescoms RAT – distant management and surveillance software program, in a position to steal delicate info.
Campaigns
Typically, all campaigns adopted the same state of affairs. The focused firm acquired an e mail message with a enterprise provide that might be so simple as “Please present your greatest worth provide for the connected order no. 2405073”, as may be seen in Determine 2.
Determine 2. Instance of a phishing e mail containing ModiLoader within the attachment
In different campaigns, e mail messages had been extra verbose, such because the phishing e mail in Determine 3, which may be translated as follows:
Hello,
We want to buy your product for our shopper.
Please discover the connected inquiry for step one of this buy.
The connected sheet comprises goal costs for many merchandise. I highlighted 10 parts to give attention to pricing – the remainder of the objects are non-obligatory to cost (we’ll apply related worth stage based mostly on different costs).
Please get again to me earlier than 28/05/2024
For those who want extra time, please let me know the way a lot you will want.
When you’ve got any questions, please additionally let me know.
Determine 3. A extra verbose phishing e mail instance containing ModiLoader within the attachment
As within the phishing campaigns of H2 2023, attackers impersonated current firms and their staff because the strategy of alternative to extend marketing campaign success fee. On this manner, even when the potential sufferer seemed for the same old purple flags (except for potential translation errors), they had been simply not there, and the e-mail seemed as respectable because it may have.
Contained in the attachments
Emails from all campaigns contained a malicious attachment that the potential sufferer was incentivized to open, based mostly on the textual content of the e-mail. These attachments had names like RFQ8219000045320004.tar (as in Request for Citation) or ZAMÓWIENIE_NR.2405073.IMG (translation: ORDER_NO) and the file itself was both an ISO file or archive.
In campaigns the place an ISO file was despatched as an attachment, the content material was the ModiLoader executable (named equally or the identical because the ISO file itself) that may be launched if a sufferer tried to open the executable.
Within the different case, when a RAR archive was despatched as an attachment, the content material was a closely obfuscated batch script, with the identical identify because the archive and with the .cmd file extension. This file additionally contained a base64-encoded ModiLoader executable, disguised as a PEM-encoded certificates revocation record. The script is answerable for decoding and launching the embedded ModiLoader (Determine 4).
Determine 4. File with .cmd extension containing closely obfuscated batch script (high) that decodes base64-encoded ModiLoader binary (backside)
When ModiLoader is launched
ModiLoader is a Delphi downloader with a easy activity – to obtain and launch malware. In two of the campaigns, ModiLoader samples had been configured to obtain the next-stage malware from a compromised server belonging to a Hungarian firm. In the remainder of the campaigns ModiLoader downloaded the following stage from Microsoft’s OneDrive cloud storage. We noticed 4 accounts the place second-stage malware was hosted. The entire chain of compromise from receiving the malicious e mail till launching the ultimate payload is summarized in Determine 5.
Determine 5. Chain of compromise of ModiLoader phishing campaigns in Poland throughout Could 2024
Knowledge exfiltration
Three completely different malware households had been used as a ultimate payload: Agent Tesla, Rescoms, and Formbook. All these households are able to info stealing and thus permit attackers not solely to develop their datasets of stolen info, but additionally to organize the bottom for his or her subsequent campaigns. Though the exfiltration mechanisms differ between malware households and campaigns, it’s price mentioning two examples of those mechanisms.
In a single marketing campaign, info was exfiltrated by way of SMTP to an deal with utilizing a site just like that of a German firm. Notice that typosquatting was a preferred method used within the Rescoms campaigns from the top of final yr. These older campaigns used typosquatted domains for sending phishing emails. One of many new campaigns used a typosquatted area for exfiltrating information. When somebody tried to go to net pages of this typosquatted area, they’d be instantly redirected to the online web page of the respectable (impersonated) firm.
In one other marketing campaign, we noticed information being exfiltrated to an online server of a visitor home positioned in Romania (a rustic focused now and up to now by such campaigns). On this case, the online server appears respectable (so no typosquatting) and we imagine that the lodging’s server had been compromised throughout earlier campaigns and abused for malicious actions.
Conclusion
Phishing campaigns focusing on small and medium-sized companies in Central and Jap Europe are nonetheless going robust within the first half of 2024. Moreover, attackers benefit from beforehand profitable assaults and actively use compromised accounts or machines to additional unfold malware or acquire stolen info. In Could alone, ESET detected 9 ModiLoader phishing campaigns, and much more outdoors this timeframe. In contrast to the second half of 2023, when Rescoms packed by AceCryptor was the popular malware of alternative of the attackers, they didn’t hesitate to vary the malware they use to be extra profitable. As we introduced, there are a number of different malware households like ModiLoader or Agent Tesla within the arsenal of those attackers, prepared for use.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis affords personal APT intelligence studies and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.
IoCs
A complete record of indicators of compromise (IoCs) may be present in our GitHub repository.
Information
SHA-1
Filename
Detection
Description
E7065EF6D0CF45443DEF30D3A3A35FD7300C4A56
doc023561361500.img
Win32/TrojanDownloader.ModiLoader.ACM
Malicious attachment from phishing marketing campaign carried out in Poland throughout Could 2024.
31672B52259B4D514E68DA5D199225FCFA72352B
doc023561361500__079422732__202410502__000023.pdf.exe
Win32/TrojanDownloader.ModiLoader.ACM
ModiLoader executable from phishing marketing campaign carried out in Poland throughout Could 2024.
B71070F9ADB17C942CB692566E6020ACCA93726A
N/A
MSIL/Spy.Agent.CVT
Agent Tesla executable from phishing marketing campaign carried out in Poland throughout Could 2024.
D7561594C7478C4FE37C26684005268EB582E13B
ZAMÓWIENIE_NR.2405073.IMG
Win32/TrojanDownloader.ModiLoader.ACR
Malicious attachment from phishing marketing campaign carried out in Poland throughout Could 2024.
47AF4CFC9B250AC4AE8CDD0A2D2304D7CF60AACE
ZAMÓWIENIE_NR.2405073.exe
Win32/TrojanDownloader.ModiLoader.ACR
ModiLoader executable from phishing marketing campaign carried out in Poland throughout Could 2024.
2963AF32AB4D497CB41FC85E54A9E5312D28BCDE
N/A
Win32/Formbook.AA
Formbook executable from phishing marketing campaign carried out in Poland throughout Could 2024.
5DAB001A2025AA91D278163F39E7504004354F01
RFQ8219000045320004.tar
Win32/TrojanDownloader.ModiLoader.ACP.Gen
Malicious attachment from phishing marketing campaign carried out in Poland throughout Could 2024.
D88B10E4FD487BFCCA6A711A9E33BB153674C757
RFQ8219000045320004.cmd
Win32/TrojanDownloader.ModiLoader.ACP.Gen
Malicious batch script from phishing marketing campaign carried out in Poland throughout Could 2024.
F0295F2E46CEBFFAF7892A5B33BA54122781C20B
N/A
Win32/TrojanDownloader.ModiLoader.ADB
ModiLoader executable from phishing marketing campaign carried out in Poland throughout Could 2024.
3C0A0EC8FE9EB3E5DAB2018E94CEB4E29FD8DD33
N/A
Win32/Rescoms.B
Rescoms executable from phishing marketing campaign carried out in Poland throughout Could 2024.
9B5AF677E565FFD4B15DEE283D46C2E60E1E31D8
DOCUMENT_BT24PDF.IMG
Win32/TrojanDownloader.ModiLoader.ADB
Malicious attachment from phishing marketing campaign carried out in Romania throughout Could 2024.
738CFBE52CFF57098818857930A7C1CF01DB0519
DOCUMENT_BT24PDF.exe
Win32/TrojanDownloader.ModiLoader.ADB
ModiLoader executable from phishing marketing campaign carried out in Romania throughout Could 2024.
843CE8848BCEEEF16D07041A97417882DBACB93F
N/A
Win32/Formbook.AA
Formbook executable from phishing marketing campaign carried out in Romania throughout Could 2024.
MITRE ATT&CK strategies
This desk was constructed utilizing model 15 of the MITRE ATT&CK framework.
Tactic
ID
Identify
Description
Reconnaissance
T1589.002
Collect Sufferer Identification Data: Electronic mail Addresses
Electronic mail addresses and get in touch with info (both purchased or gathered from publicly obtainable sources) had been utilized in phishing campaigns to focus on firms throughout a number of international locations.
Useful resource Improvement
T1586.002
Compromise Accounts: Electronic mail Accounts
Attackers used compromised e mail accounts to ship malicious emails in phishing campaigns to extend their phishing e mail’s credibility.
T1588.001
Acquire Capabilities: Malware
Attackers purchased licenses and used a number of malware households for phishing campaigns.
T1583.006
Purchase Infrastructure: Internet Companies
Attackers used Microsoft OneDrive to host malware.
T1584.004
Compromise Infrastructure: Server
Attackers used beforehand compromised servers to host malware and retailer stolen info.
Preliminary Entry
T1566
Phishing
Attackers used phishing messages with malicious attachments to compromise computer systems and steal info from firms in a number of European international locations.
T1566.001
Phishing: Spearphishing Attachment
Attackers used spearphishing messages to compromise computer systems and steal info from firms in a number of European international locations.
Execution
T1204.002
Consumer Execution: Malicious File
Attackers relied on customers opening archives containing malware and launching a ModiLoader executable.
Credential Entry
T1555.003
Credentials from Password Shops: Credentials from Internet Browsers
Attackers tried to steal credential info from browsers and e mail shoppers.
[ad_2]