European organizations flooded with malicious software via Dbatloader

Phishing attacks on European enterprises have been found to be distributing the lethal Remcosrat and Formbook through the malware bootloader, known as Dbatloader. In an article published by ZSCALER researchers on March 27, it was revealed that “the useful load of the malware Dbatloader is distributed through the WordPress websites with authorized SSL certificates, which is a popular tactic used by attackers to evade detection mechanisms.”
SentinelOne’s report from March 6, based on researchers’ conclusions, revealed that the malware is delivered through phishing emails, disguised as financial documents. Modiloader, also known as Natsoloader, was the harmful basis of Delphi that delivered additional useful loads from cloud services, such as Google Drive and Microsoft Oredrive, and used detection mechanisms to bypass protective measures.
The attack boasts of imitations of trusted catalogs, specifically “C: Windows System32,” to evade account control and gain automatic privilege elevation. This dubious method allows attackers to operate with increased powers without notifying users as they carry out their malicious activities. The recommended course of action for Windows users is to keep an eye on suspicious system folder processes with the addition of a space in the name and configure Windows UAC to the value “Always notify” to minimize Dbatloader’s risk.

/Reports, release notes, official announcements.