Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Phishing campaigns target SMBs in Poland, Romania, and Italy with multiple malware families

Phishing campaigns target small and medium-sized businesses (SMBs) in Poland to deliver malware families such as Agent Tesla, Formbook, and Remcos RAT. ESET researchers observed multiple phishing campaigns targeting SMBs in Poland in May 2024, distributing various malware families like Agent Tesla, Formbook, and Remcos RAT. ESET researchers detected nine notable phishing campaigns during May 2024 in Poland, Romania, and Italy. […]

phishing campaigns

Phishing campaigns target small and medium-sized businesses (SMBs) in Poland to deliver malware families such as Agent Tesla, Formbook, and Remcos RAT.

ESET researchers observed multiple phishing campaigns targeting SMBs in Poland in May 2024, distributing various malware families like Agent TeslaFormbook, and Remcos RAT.

ESET researchers detected nine notable phishing campaigns during May 2024 in Poland, Romania, and Italy. The campaigns rely on ModiLoader (aka DBatLoader) to deploy the above malware families.

Seven of these campaigns targeted Poland impacting over 21,000 users. Threat actors exploited compromised email accounts and company servers to disseminate malicious emails, host malware, and collect stolen data.

Attackers used previously compromised email accounts and company servers to spread phishing messages, host malware, and collect stolen data.

In the second half of 2023, ESET Research reported on significant phishing campaigns across Central and Eastern Europe, distributing the Rescoms malware protected by AceCryptor. However, in May 2024, the campaigns evolved and attackers switched from AceCryptor to ModiLoader for delivering malware, including Rescoms, Agent Tesla, and Formbook.

The attack chain employed in the campaigns is similar, the targeted companies received an email with a business offer that could be as simple as “Please provide your best price offer for the attached order no. 2405073.”

“Emails from all campaigns contained a malicious attachment that the potential victim was incentivized to open, based on the text of the email. These attachments had names like RFQ8219000045320004.tar (as in Request for Quotation) or ZAMÓWIENIE_NR.2405073.IMG (translation: ORDER_NO) and the file itself was either an ISO file or archive.” reads the report published by ESET. “In campaigns where an ISO file was sent as an attachment, the content was the ModiLoader executable (named similarly or the same as the ISO file itself) that would be launched if a victim tried to open the executable. In the other case, when a RAR archive was sent as an attachment, the content was a heavily obfuscated batch script, with the same name as the archive and with the .cmd file extension. This file also contained a base64-encoded ModiLoader executable, disguised as a PEM-encoded certificate revocation list. The script is responsible for decoding and launching the embedded ModiLoader.”

phishing campaigns

All the malware employed in the campaigns supports various information-stealing capabilities. Attackers can exfiltrate stolen data via SMTP to a typosquatted domain, experts observed the threat actors using a compromised web server of a guest house in Romania.

“Phishing campaigns targeting small and medium-sized businesses in Central and Eastern Europe are still going strong in the first half of 2024. Furthermore, attackers take advantage of previously successful attacks and actively use compromised accounts or machines to further spread malware or collect stolen information.” concludes the report. “As we presented, there are multiple other malware families like ModiLoader or Agent Tesla in the arsenal of these attackers, ready to be used.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Phishing campaigns)