TLDR:
- Phishing campaigns intensified in May 2024, with Poland being the primary target.
- Threat actors transitioned from using AceCryptor to ModiLoader as the primary malware delivery mechanism.
A new widespread phishing campaign has been targeting users with multiple malware attacks, with Poland bearing the brunt of the attacks. The campaign intensified in May 2024, with Poland accounting for 80% of over 26,000 protected users, while Italy and Romania also experienced significant targeting. The threat actors behind the campaign launched nine distinct phishing campaigns during the month, primarily focusing on Poland. These campaigns exclusively employed ModiLoader to infiltrate systems and deploy various payloads, including Formbook, Agent Tesla, and Rescoms RAT, designed to steal sensitive information and establish remote control over compromised machines.
The phishing emails used consistent social engineering tactics, posing as legitimate business inquiries and requesting price quotes. Attackers impersonated legitimate companies and their staff to enhance campaign success and included malicious attachments disguised as business documents like RFQs or orders. The attachments incentivized victims to open them through email content, bypassing typical red flags due to convincing impersonation. Two primary methods were employed to deliver the ModiLoader executable – through ISO files containing identically named executables or RAR archives disguised as batch scripts.
ModiLoader, a Delphi-based downloader, functions as a first-stage malware, fetching subsequent payloads from compromised servers or cloud storage services. These payloads, including information-stealing malware like Agent Tesla and Formbook, are capable of exfiltrating sensitive data. The attackers leverage stolen credentials to expand their attack surface and potentially launch further malicious campaigns. The campaign also utilized typosquatting and compromised infrastructure exploitation to access victim data.