ESET Research identified nine ModiLoader phishing campaigns in May 2024 targeting small and medium-sized businesses in Poland, Romania, and Italy, distributing Rescoms, Agent Tesla, and Formbook while using compromised email accounts to boost credibility and data exfiltration. The move away from AceCryptor to ModiLoader highlights attackers’ focus on credential theft and surveillance across Central and Eastern Europe. #ModiLoader #Rescoms #AgentTesla #Formbook #Poland #SMBs #OneDrive
Keypoints
- Nine ModiLoader phishing campaigns were detected in May 2024 across Poland, Romania, and Italy.
- Seven of the campaigns targeted Poland, affecting over 21,000 users protected by ESET products.
- Three malware families were deployed: Rescoms (Remcos), Agent Tesla, and Formbook.
- Attackers used compromised email accounts and company servers to spread malicious emails and to host malware and store stolen data.
- ModiLoader replaced AceCryptor as the primary delivery mechanism for malware.
- Campaigns used phishing emails with attachments; some attachments were ISO or RAR archives containing the ModiLoader payload or obfuscated scripts.
MITRE Techniques
- [T1589.002] Gather Victim Identity Information – Email addresses and contact information were used in phishing campaigns to target companies across multiple countries. “Email addresses and contact information were used in phishing campaigns to target companies across multiple countries.”
- [T1586.002] Compromise Accounts: Email Accounts – Compromised email accounts were used to send malicious emails, increasing the credibility of phishing attempts. “Compromised email accounts were used to send malicious emails, increasing the credibility of phishing attempts.”
- [T1588.001] Obtain Capabilities: Malware – Attackers utilized multiple malware families for phishing campaigns. “Attackers utilized multiple malware families for phishing campaigns.”
- [T1583.006] Acquire Infrastructure: Web Services – Microsoft OneDrive was used to host malware. “Microsoft OneDrive was used to host malware.”
- [T1584.004] Compromise Infrastructure: Server – Previously compromised servers were used to host malware and store stolen information. “Previously compromised servers were used to host malware and store stolen information.”
- [T1566] Phishing – Phishing messages with malicious attachments were used to compromise computers and steal information. “Phishing messages with malicious attachments were used to compromise computers and steal information.”
- [T1566.001] Phishing: Spearphishing Attachment – Spearphishing messages were employed to compromise computers and steal information. “Spearphishing messages were employed to compromise computers and steal information.”
- [T1204.002] User Execution: Malicious File – Users were relied upon to open archives containing malware and launch the ModiLoader executable. “Users were relied upon to open archives containing malware and launch the ModiLoader executable.”
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Attackers tried to steal credential information from browsers and email clients. “Attackers tried to steal credential information from browsers and email clients.”
Indicators of Compromise
- [SHA-1] ModiLoader-related attachments from campaigns in May 2024 – E7065EF6D0CF45443DEF, 31672B52259B4D514E68
- [Filename] ModiLoader-related attachments – doc023561361500.img, doc023561361500__079422732__202410502__000023.pdf.exe
- [Domain] Exfiltration domain used in at least one campaign – domain similar to a German company (typosquatted domain used for exfiltration)
Read more: https://www.welivesecurity.com/en/eset-research/phishing-targeting-polish-smbs-continues-modiloader/