Recently, several phishing campaigns have been identified by the security analysts at SentinelOne using the DBatLoader malware loader that distributes the Remcos RAT. As far as their target is concerned, they are targeting Eastern European businesses and institutions primarily.
DBatLoader makes use of the public cloud infrastructure as a way to host its malware staging component in order to facilitate its operations. A variety of forms and methods are used by threat actors to distribute RAT through phishing emails.
Using password-protected archives as email attachments, Remcos RAT phishing campaigns targeted Ukrainian state institutions. While these institutions are targeted for the purpose of conducting espionage operations.
Spreading via Phishing Emails
The “tar.lz” archive attachments are included in phishing emails that distribute DBatLoader and Remcos. Most of the time, these attachments are disguised as financial documents…