digitalcourage.social

Pyrzout :vm:New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know – Source:hackread.com <a href="https://ciso2ciso.com/new-phishing-campaign-uses-dbatloader-to-drop-remcos-rat-what-analysts-need-to-know-sourcehackread-com/" rel="nofollow noopener" translate="no" target="_blank">https://ciso2ciso.com/new-phishing-campaign-uses-dbatloader-to-drop-remcos-rat-what-analysts-need-to-know-sourcehackread-com/</a> <a href="https://social.skynetcloud.site/tags/1CyberSecurityNewsPost" class="mention hashtag" rel="nofollow noopener" target="_blank">#1CyberSecurityNewsPost</a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurityNews</a> <a href="https://social.skynetcloud.site/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://social.skynetcloud.site/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberAttack</a> <a href="https://social.skynetcloud.site/tags/0CISO2CISO" class="mention hashtag" rel="nofollow noopener" target="_blank">#0CISO2CISO</a> <a href="https://social.skynetcloud.site/tags/DBatLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#DBatLoader</a> <a href="https://social.skynetcloud.site/tags/RemcosRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RemcosRAT</a> <a href="https://social.skynetcloud.site/tags/Hackread" class="mention hashtag" rel="nofollow noopener" target="_blank">#Hackread</a> <a href="https://social.skynetcloud.site/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://social.skynetcloud.site/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://social.skynetcloud.site/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://social.skynetcloud.site/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a>

ANY.RUN🚨 New <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#phishing</a> campaign uses <a href="https://infosec.exchange/tags/DBatLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#DBatLoader</a> to drop <a href="https://infosec.exchange/tags/Remcos" class="mention hashtag" rel="nofollow noopener" target="_blank">#Remcos</a> RAT. The infection relies on <a href="https://infosec.exchange/tags/UAC" class="mention hashtag" rel="nofollow noopener" target="_blank">#UAC</a> bypass with mock directories, obfuscated .cmd scripts, Windows <a href="https://infosec.exchange/tags/LOLBAS" class="mention hashtag" rel="nofollow noopener" target="_blank">#LOLBAS</a> techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to <a href="https://infosec.exchange/tags/VirusTotal" class="mention hashtag" rel="nofollow noopener" target="_blank">#VirusTotal</a> ⚠️🔗 Execution chain: <a href="https://infosec.exchange/tags/Phish" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phish</a> ➡️ Archive ➡️ DBatLoader ➡️ CMD ➡️ SndVol.exe (Remcos injected) 👨‍💻 <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#ANYRUN</a> allows analysts to quickly uncover stealth techniques like LOLBAS abuse, injection, and UAC bypass, all within a single interactive analysis session. See analysis: <a href="https://app.any.run/tasks/c57ca499-51f5-4c50-a91f-70bc5a60b98d/?utm_source=mastodon&utm_medium=post&utm_campaign=dbatloader&utm_term=150525&utm_content=linktoservice" rel="nofollow noopener" translate="no" target="_blank">https://app.any.run/tasks/c57ca499-51f5-4c50-a91f-70bc5a60b98d/?utm_source=mastodon&utm_medium=post&utm_campaign=dbatloader&utm_term=150525&utm_content=linktoservice</a>🛠️ Key techniques: 🔹 <a href="https://infosec.exchange/tags/Obfuscated" class="mention hashtag" rel="nofollow noopener" target="_blank">#Obfuscated</a> with <a href="https://infosec.exchange/tags/BatCloak" class="mention hashtag" rel="nofollow noopener" target="_blank">#BatCloak</a> .cmd files are used to download and run <a href="https://infosec.exchange/tags/payload" class="mention hashtag" rel="nofollow noopener" target="_blank">#payload</a>. 🔹 Remcos injects into trusted system processes (SndVol.exe, colorcpl.exe). 🔹 Scheduled tasks trigger a Cmwdnsyn.url file, which launches a .pif dropper to maintain persistence. 🔹 Esentutl.exe is abused via LOLBAS to copy cmd.exe into the alpha.pif file. 🔹 UAC bypass is achieved with fake directories like “C:\Windows “ (note the trailing space), exploiting how Windows handles folder names. ⚠️ This threat uses multiple layers of stealth and abuse of built-in Windows tools. Behavioral detection and attention to unusual file paths or another activity are crucial to catching it early. <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#ANYRUN</a> Sandbox provides the visibility needed to spot these techniques in real time 🚀

Brad2025-01-09 (Thursday): <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#CVE</a>-2017-0199 Excel (<a href="https://infosec.exchange/tags/XLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#XLS</a>) file --> <a href="https://infosec.exchange/tags/HTA" class="mention hashtag" rel="nofollow noopener" target="_blank">#HTA</a> --> <a href="https://infosec.exchange/tags/VBS" class="mention hashtag" rel="nofollow noopener" target="_blank">#VBS</a> --> <a href="https://infosec.exchange/tags/steganography" class="mention hashtag" rel="nofollow noopener" target="_blank">#steganography</a> --> <a href="https://infosec.exchange/tags/DBatLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#DBatLoader</a> or <a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> style malware for <a href="https://infosec.exchange/tags/AgentTesla" class="mention hashtag" rel="nofollow noopener" target="_blank">#AgentTesla</a>. Data exfil over FTP. A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

SANS Internet Storm Center - SANS.edu - Go Sentinels!ISC Diary: <a href="https://infosec.exchange/@malware_traffic" class="u-url mention" rel="nofollow noopener" target="_blank">@malware_traffic</a> reviews <a href="https://infosec.exchange/tags/Formbook" class="mention hashtag" rel="nofollow noopener" target="_blank">#Formbook</a> from possible <a href="https://infosec.exchange/tags/ModiLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#ModiLoader</a> (<a href="https://infosec.exchange/tags/DBatLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#DBatLoader</a>) <a href="https://i5c.us/d29958" rel="nofollow noopener" target="_blank">https://i5c.us/d29958</a>

Recent searches

Search options

Administered by:

Server stats:

#Dbatloader