Threat Research

DBatLoader: Actively Distributing Malwares Targeting European Businesses

Securonix

ThreatLabz (Zscaler) analyzes a new DBatLoader campaign active in Europe that delivers Remcos RAT and Formbook to manufacturing companies and other businesses. The operation uses WordPress-hosted payloads with authorized SSL certificates, multi-format obfuscation, and UAC-bypass techniques, with persistence through startup registry keys and URL shortcuts. #DBatLoader #RemcosRAT

Keypoints

  • Identified a new DBatLoader campaign distributing Remcos RAT and Formbook malware.
  • Targets manufacturing companies and various businesses in European countries via phishing emails.
  • Malware payloads are delivered through WordPress sites with authorized SSL certificates.
  • Phishing chains use multiple formats (PDF, HTML, ZIP, OneNote) and LNKs to coerce victims into downloading DBatLoader/Remcos/Formbook.
  • DBatLoader uses multilayer obfuscation and mock trusted directories to bypass detections and escalate privileges.
  • Stage-based delivery drops multiple files (DLLs, EXEs, BAT scripts) and establishes persistence via URL shortcuts and Run keys.
  • ThreatLabz maps observed techniques to MITRE ATT&CK and outlines defensive recommendations.

MITRE Techniques

  • [T1059.001] PowerShell – Brief description of how it was used. Quote: ‘executing powershell commands in BAT script to exclude Microsoft Defender scanning.’
  • [T1547.001] Registry Run Keys / Startup Folder – Brief description of persistence. Quote: ‘creates an autorun registry key to survive reboots.’
  • [T1574.002] DLL Side-Loading – Brief description of how it was used. Quote: ‘The attacker copies ‘easinvoker.exe’ to the mock directory and uses it to load the malicious ‘netutils.dll’, which in turn executes the ‘KDECO.bat’ script.’
  • [T1562.001] Disable or Modify Tools – Brief description of evasion. Quote: ‘PowerShell commands that exclude the C:Users directory from being scanned by Microsoft Defender.’
  • [T1140] Deobfuscate/Decode Files or Information – Brief description of decoding steps. Quote: ‘Step 2 – Decoding…’ and ‘The following function…’
  • [T1027] Obfuscated Files or Information – Brief description of obfuscation. Quote: ‘multilayer obfuscation techniques and image steganography techniques to hide the initial stage’
  • [T1036] Masquerading – Brief description of disguise. Quote: ‘mock trusted directories Method… to imitate a legitimate path’
  • [T1055] Process Injection – Brief description of memory loading. Quote: ‘the second stage payload will be allocated in the memory… via the VirtualAlloc API.’
  • [T1219] Remote Access Software – Brief description of payload. Quote: ‘Remcos RAT delivered/used as the remote access component.’

Indicators Of Compromise

  • [File Name] context – Purchase Order SZ5-9-020.msg, Revised_Order_Document.pdf, Revised_Order_Document.cab, and 2 more files (if applicable)
  • [MD5] context – d51576e2e216292a72ce16821f9696d3, 0e8aefd1dade4f059c2881c6e05f689f
  • [URL] context – hxxps://silverline[.]com[.]sg/new/Revised_Order_Document.cab, https://silverline[.]com[.]sg/admin/Xdfiifagcwrbrg.exe
  • [IP] context – 185.246.220.63
  • [Domain] context – duckdns.org:9150, silverline[.]com[.]sg
  • [File Name] context – XdfiifagO.bat, KDECO.bat, easinvoker.exe, netutils.dll
  • [MD5] context – 55aba243e88f6a6813c117ffe1fa5979, 213c60adf1c9ef88dc3c9b2d579959d2

Read more: https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses