Threat actors are targeting small and medium-sized businesses (SMBs) in Poland with phishing campaigns delivering a number of malware families such as Agent Tesla, Formbook, and Remcos RAT.

In a detailed report, cybersecurity firm ESET revealed that nine significant ModiLoader phishing campaigns were detected in May 2024, affecting businesses in Poland, Italy, and Romania.

The attackers utilized previously compromised email accounts and corporate servers to disseminate malicious emails and host malware, as well as steal data. The attacks were executed in nine waves, each employing the DBatLoader malware loader, also known as ModiLoader or NatsoLoader, to deliver the malicious payloads.

DBatLoader represents a shift from the tactics observed in the second half of 2023 when cybercriminals frequently used a cryptors-as-a-service (CaaS) called AceCryptor to spread Remcos RAT, also known as Rescoms. According to March 2024 report, Rescoms became the most prevalent malware family packed by AceCryptor, with a significant number of attacks occurring in Poland.

The attacks typically began with phishing emails containing malware-laced RAR or ISO attachments. Opening these attachments initiated a multi-step process to download and launch the trojan. ISO files led directly to the execution of DBatLoader, while RAR archives contained an obfuscated Windows batch script that included a Base64-encoded ModiLoader executable, disguised as a PEM-encoded certificate revocation list.

DBatLoader, a Delphi-based downloader, was designed to download and launch subsequent stage malware from either Microsoft OneDrive or compromised servers of legitimate companies. The deployment of malware like Agent Tesla, Formbook, and Remcos RAT enabled attackers to siphon sensitive information.

While Poland was the primary target, the campaigns also extended to other regions, notably Italy and Romania.

“Three different malware families were used as a final payload: Agent Tesla, Rescoms, and Formbook. All these families are capable of information stealing and thus allow attackers not only to expand their datasets of stolen information, but also to prepare the ground for their next campaigns,” ESET noted.