Mastodawn

ANY.RUN May 23, 2025

🎣 Look out for this new #phishing campaign
#DBatLoader deploys #Remcos by abusing .pif (Program Information Files) to evade detection and execute the final payload

See analysis of the full attack chain 👇
https://any.run/cybersecurity-blog/dbatloader-drops-remcos/?utm_source=mastodon&utm_medium=post&utm_campaign=dbatloader_drops_remcos&utm_content=linktoblog&utm_term=230525

Phishing Campaign: DBatLoader Delivers Remcos via UAC Bypass

Learn about a new phishing campaign spreading Remcos through DBatLoader. It employs UAC bypass and obfuscated scripts to compromise systems.

ANY.RUN's Cybersecurity Blog

ANY.RUN May 15, 2025

🚨 New #phishing campaign uses #DBatLoader to drop #Remcos RAT.
The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to #VirusTotal ⚠️

🔗 Execution chain:
#Phish ➡️ Archive ➡️ DBatLoader ➡️ CMD ➡️ SndVol.exe (Remcos injected)

👨‍💻 #ANYRUN allows analysts to quickly uncover stealth techniques like LOLBAS abuse, injection, and UAC bypass, all within a single interactive analysis session. See analysis: https://app.any.run/tasks/c57ca499-51f5-4c50-a91f-70bc5a60b98d/?utm_source=mastodon&utm_medium=post&utm_campaign=dbatloader&utm_term=150525&utm_content=linktoservice

🛠️ Key techniques:
🔹 #Obfuscated with #BatCloak .cmd files are used to download and run #payload.
🔹 Remcos injects into trusted system processes (SndVol.exe, colorcpl.exe).
🔹 Scheduled tasks trigger a Cmwdnsyn.url file, which launches a .pif dropper to maintain persistence.
🔹 Esentutl.exe is abused via LOLBAS to copy cmd.exe into the alpha.pif file.
🔹 UAC bypass is achieved with fake directories like “C:\Windows “ (note the trailing space), exploiting how Windows handles folder names.

⚠️ This threat uses multiple layers of stealth and abuse of built-in Windows tools. Behavioral detection and attention to unusual file paths or another activity are crucial to catching it early. #ANYRUN Sandbox provides the visibility needed to spot these techniques in real time 🚀

Analysis FAKTURA.tar.lz (MD5: B7AAF85E1B3EC2C1AF0098AE92D3E46E) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Brad Jan 11, 2025

2025-01-09 (Thursday):

#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

SANS Internet Storm Center - SANS.edu - Go Sentinels!Jun 17, 2023

ISC Diary: @malware_traffic reviews #Formbook from possible #ModiLoader (#DBatLoader) https://i5c.us/d29958