Beware! Hackers Abusing Public Cloud Infrastructure to Host DBatLoader Malware

Recently, several phishing campaigns have been identified by the security analysts at SentinelOne using the DBatLoader malware loader that distributes the Remcos RAT. As far as their target is concerned, they are targeting Eastern European businesses and institutions primarily.

DBatLoader makes use of the public cloud infrastructure as a way to host its malware staging component in order to facilitate its operations. A variety of forms and methods are used by threat actors to distribute RAT through phishing emails.

Using password-protected archives as email attachments, Remcos RAT phishing campaigns targeted Ukrainian state institutions. While these institutions are targeted for the purpose of conducting espionage operations.

Spreading via Phishing Emails

The “tar.lz” archive attachments are included in phishing emails that distribute DBatLoader and Remcos. Most of the time, these attachments are disguised as financial documents like:- 

• Invoices
• Documents related to tenders

The threat actors were observed using a variety of techniques to make the emails appear credible so that it would look like they came from a trustworthy source.

The sales departments or the primary active contact email addresses are mainly targeted by the threat actors through these phishing emails of their targets.

A majority of the phishing email addresses are tied to the target’s country’s top-level domain through which a multitude of phishing emails was sent.

According to the report, Malicious attachments are usually accompanied by text that is written in the language of the country in which the target resides. Even some of them do not contain any text as well.

Threat actors use English text if they are not pretending to be local institutions or business organizations.

Staging Remcos RAT with DBatLoader

DBatLoader executables are attached to phishing email attachments using tar.lz archives. Using double extensions and application icons, Remcos disguises itself as the following legit documents:-

• Microsoft Office
• LibreOffice
• PDF

From a public cloud location, obfuscated second-stage payload data is downloaded. While this happens when a user decompresses and executes the executable contained within the attachment.

As of right now, the download links have varying lifetime spans, with the longest lasting over a month. However, they are linked to Microsoft OneDrive and Google Drive sites.

Only the second-stage DBatLoader payload data was present in the cloud file storage locations which were active. The DBatLoader payload appears to be hosted on Microsoft OneDrive or Google Drive. 

But, the fact is that it’s not yet clear whether the drive accounts used by the threat actors are self-registered or compromised. An initial batch script is created and executed in the %Public%/Libraries directory by the malware.

Using the following spaces, this script creates fake trusted directories such as %SystemRoot%\System32, which can bypass Windows User Account Control. DBatLoader then copies a malicious netutils.dll DLL file, along with the legitimate easinvoker.exe executable, into this directory.

Then a malicious script named KDECO.bat is executed by easinvoker.exe as a result of the malicious netutils.dll being loaded. 

In order to prevent detection, KDECO.bat excludes the C:/Users directory from Microsoft Defender scans. The Remcos configurations observed were diverse in terms of configurations. The following activities are commonly performed by these configurations:-

• Keylogging
• Screenshot theft
• duckdns dynamic DNS domains for C2 purposes

Recommendations

Keeping an eye out for phishing attacks and avoiding opening attachments from unknown sources is the best way to reduce the risk of being scammed.

Apart from this, here below we have mentioned the recommendations offered by the security researchers for administrators:-

• Make sure you are vigilant in protecting public Cloud instances from malicious network requests.
• Inspect the “%Public%\Library” directory for suspicious file creations and process executions involving trailing spaces in filesystem paths, particularly the “\Windows \” path.
• It’s strongly recommended to configure Windows UAC to always notify, so you will be notified whenever a program is attempting to make changes to your computer.