The phishing attack commences by sending malicious emails disguised as financial files, such as invoices.
The cybersecurity researchers at SentinelOne have observed a new phishing campaign in which attackers are abusing the Windows User Account Control (UAC) bypass to distribute the DBatLoader and Remcos RAT malware. The primary targets of this campaign are organizations in Eastern Europe.
New Phishing Campaign Delivering Remcos RAT
According to SentinelOne, scammers are using DBatLoader malware loader to distribute Remcos RAT to businesses and institutions across Eastern Europe. The attackers use emails that seem to have come from authentic sources, such as reputed institutions in their target regions, to lure victims.
When they are successful in luring users into clicking on the malicious link included in the email’s content, the attackers easily leverage the malware loader, bypass Windows UAC, and drop Remcos RAT.
How Does the Attack Occur?
The attack commences by sending phishing emails disguised as financial files, such as invoices. These emails include a tar.lz archive containing the DBatLoader executable.
When the victim checks this email, they are lured into opening the DBatLoader’s initial stage payload, which is disguised as a LibreOffice, PDF, or MS Office document. Once this is done, the second-stage payload is retrieved from Google Drive or Microsoft OneDrive, one of which has been active for at least a month.
“When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public cloud location,” said SentinelOne’s Aleksandar Milenkoski.
According to SentinelOne’s blog post, the RAT is loaded only when DBatLoader executes a Windows batch script through a Windows UAC evasion technique involving DLL hijacking and mocking trusted directories. Through easinvoker.exe, Windows automatically elevates the process without issuing a UAC prompt when located in a trusted directory—the mock %SystemRoot%System32 directory.
About Remcos RAT and DBatLoader
DBatLoader abuses public cloud infrastructure for hosting its malware-loading capabilities. Remcos is a feature-rich RAT, which is frequently used by cybercriminals in espionage campaigns and is typically distributed via phishing emails.
Ukrainian CERT recently reported about Remcos-based phishing campaigns targeting state institutions for conducting espionage. In this instance, the attackers used password-protected archives as malicious email attachments.
This malware can collect keystrokes, video, audio, screenshots, and device or system-related information. Moreover, it can also deliver additional malware to the system.