According to research by IBM X-Force The risks associated with malware are increasing considerably DBatLoaderwidespread in some recent malicious email campaigns.
In fact, experts have recorded more than twenty threats attributable to this agent since the end of June. By exploiting this loader, in fact, payloads such as Remcos, Warzone, Formbook e AgentTesla.
Despite the recent boom, however, it is good to consider that DBatLoader is not new in the sector. The malware, in fact, was already used in 2020 to spread remote access trojan (the famous RAT) as well as different types of infostealers.
Today, campaigns involving malware are often undertaken using malicious emails and are known to abuse services cloud to organize and recover additional payloads. Earlier this year, these operations targeted entities in Eastern Europe for distribution Remcos and, other companies in the rest of the continent, to distribute Remcos and Formbook.
In this context, Remcos has been recorded in the majority of cases identified by X-Force in recent campaigns.
DBatLoader allows the spread of several other malicious agents
The name Remcos is short for Remote Control and Surveillance. We are talking about a remote access tool offered for sale by a company called Breaking Securitytheoretically legal software but widely used for malicious purposes.
Like most of these remote tools, Remcos can be used to provide access backdoor to Windows operating systems. Warzone (also known as Hail Mary), active since 2018, is a RAT available for purchase directly online. Formbook and AgentTesla are popular infostealers that can be identified, without too much difficulty, in the context of Dark Web.
Recent campaigns observed by Most campaigns have exploited OneDrive to organize and recover payload additional, with a small portion using compromised domains. Most of the email content appeared to be intended for English speakers, although X-Force also observed emails in Spanish and Turkish.