Phishing targeting Polish SMBs continues via ModiLoader

In May 2024, ESET Research observed extensive phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland, Romania, and Italy, marking a continuation of similar attacks from the previous year. The campaigns were notably concentrated in Poland, where ESET protected over 21,000 users—around 80% of affected individuals—out of a total of more than 26,000 users across all targeted regions. Researchers identified nine significant phishing campaigns in May alone, signaling a persistent threat landscape for SMBs in Central and Eastern Europe.

These campaigns shifted from the previously favored AceCryptor malware delivery method to ModiLoader (also known as DBatLoader). All nine detected campaigns utilized this delivery tool to deploy three distinct malware families: Rescoms, Agent Tesla, and Formbook. Each of these malware types is designed for information theft, enhancing the attackers’ ability to collect sensitive information and sustain future attacks.

The campaigns typically employed social engineering tactics, where potential victims received seemingly legitimate emails containing business inquiries or requests for quotations. These emails were crafted to appear credible, often impersonating existing companies or employees, thus diminishing the chances of recipients recognizing the phishing attempt. The emails typically urged recipients to open malicious attachments, which were disguised as business documents.

Malicious attachments were either ISO files or compressed archives containing a highly obfuscated batch script. In instances where ISO files were utilized, they contained the executable for ModiLoader, which, if opened, would execute the malware. Conversely, RAR archives housed scripts embedded with a base64-encoded version of the ModiLoader executable, disguised as a certificate revocation list. This strategic obfuscation heightens the effectiveness of the attack, allowing malware to bypass detection.

Upon execution, ModiLoader served as a downloader for subsequent malware payloads. In certain campaigns, it retrieved the malware from compromised servers linked to legitimate entities, including a Hungarian company, while other instances involved retrieving it from Microsoft OneDrive accounts. The malicious data exfiltration methods varied, with some data redirected to domains created using typosquatting techniques similar to prior campaigns, while other campaigns involved data being sent to a legitimate-seeming server compromised in earlier attacks.

Overall, the persistence of phishing tactics in 2024 reflects a growing sophistication among attackers who adapt their strategies based on previous successes. ESET’s findings underline how attackers exploit compromised accounts and resources to further their malicious aims, engaging in indiscriminate targeting across regions. The ability to switch between various malware families signifies an enduring threat posed to SMBs, as attackers utilize advanced techniques to penetrate corporate defenses and maximize data breach potential.

Furthermore, the evolution in the delivery mechanism—from AceCryptor to ModiLoader—illustrates a tactical shift, showcasing the necessity for enhanced cybersecurity measures. Businesses must remain vigilant and proactive against phishing attacks, prioritizing email security awareness and implementing robust threat detection systems.

In summary, the phishing campaigns detected by ESET Research in May 2024 illustrate an aggressive continuation of cybercriminal efforts targeting SMBs in Central and Eastern Europe. By leveraging effective social engineering and advanced malware delivery methods, attackers are increasingly capable of breaching corporate networks and resulting in significant data theft. The findings call for heightened cybersecurity awareness and comprehensive protective measures among businesses to combat such persistent threats.