"Stealthy DBatLoader Malware Loader Spreading Remcos RAT and Formbook in Europe"

A new phishing campaign is targeting European entities to distribute Remcos RAT and Formbook using DBatLoader, a malware loader. According to Zscaler researchers, the malware payload is delivered through WordPress websites with authorized SSL certificates, which is a common tactic used by threat actors to circumvent detection engines. The findings expand upon a report published by SentinelOne last month that highlighted phishing emails with malicious attachments masquerading as financial documents in order to initiate the infection chain. Some of the file formats used to deliver the DBatLoader payload involve the use of obfuscated HTML files with many layers and OneNote attachments. As a result of Microsoft's decision to block macros by default in files downloaded from the Internet, there has been a rise in the use of OneNote files as an initial vector for spreading malware. DBatLoader, also known as ModiLoader and NatsoLoader, is a Delphi-based malware capable of distributing follow-on payloads through cloud services such as Google Drive and Microsoft OneDrive, and adopting image steganography to bypass detection engines. This article continues to discuss the DBatLoader malware loader being used to distribute Remcos RAT and Formbook.

THN reports "Stealthy DBatLoader Malware Loader Spreading Remcos RAT and Formbook in Europe"