Phishing campaigns intensified in May 2024, with Poland bearing the brunt of attacks, accounting for 80% of over 26,000 protected users, as Italy and Romania also experienced significant targeting.
Threat actors launched nine distinct phishing campaigns during the month, primarily focusing on Poland with seven dedicated attacks.
Recent cyberattacks have transitioned from using AceCryptor to ModiLoader as the primary malware delivery mechanism.
Nine analyzed campaigns exclusively employed ModiLoader to infiltrate systems and deploy various payloads, including Formbook, Agent Tesla, and Rescoms RAT.
These malicious tools are designed to steal sensitive information and establish remote control over compromised machines, posing significant risks to affected organizations.
Attackers executed phishing campaigns targeting businesses with emails containing malicious attachments.
The emails employed a consistent social engineering tactic, posing as legitimate business inquiries and requesting price quotes.
The messages ranged from concise requests with order numbers to more elaborate proposals with detailed product specifications.
Regardless of format, all emails aimed to entice recipients to open attached files, which were subsequently revealed to contain the ModiLoader malware.
Attackers in H2 2023 phishing campaigns employed social engineering by impersonating legitimate companies and their staff to enhance campaign success.
Malicious attachments, disguised as business documents like RFQs or orders, were included in these emails.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
The attachments, formatted as ISO or archive files, incentivized victims to open them through email content, bypassing typical red flags due to the convincing impersonation.
Campaigns employed two primary methods to deliver the ModiLoader executable.
In one, ISO files containing identically named executables were sent as attachments, directly launching ModiLoader upon execution.
Alternatively, RAR archives disguised as batch scripts were distributed, with these scripts obfuscated and containing base64-encoded ModiLoader masquerading as a certificate revocation list.
Upon execution, the script decoded and launched the embedded malicious payload.
ModiLoader, a Delphi-based downloader, functions as a first-stage malware, fetching subsequent payloads from compromised servers or cloud storage services like OneDrive.
These payloads, including Agent Tesla, Rescoms, and Formbook, are information-stealing malware capable of exfiltrating sensitive data.
Attackers leverage these stolen credentials to expand their attack surface and potentially launch further malicious campaigns.
Two distinct examples of methods were observed.
The first leveraged typosquatting, mirroring a German company’s domain for SMTP-based data exfiltration, which aligns with previous Rescoms campaigns that employed typosquatted domains for phishing.
Compared to the first campaign, the second one utilized the web server of a Romanian guest house that appeared legitimate to steal data.
Investigators at ESET suspect the server was compromised in a prior campaign and repurposed for malicious activities, indicating a shift from domain spoofing to compromised infrastructure exploitation.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access