Security news that informs and inspires

DBatLoader Leverages OneDrive to Deliver Commodity Malware


The malware loader was recently observed in almost two dozen email campaigns that appeared to target English speakers and involved lures related to shipping orders and billing, invoice and purchase requests or inquiries.

Researchers have observed almost two dozen email campaigns since late June that use a combination of a known malware loader, lures related to shipping orders and purchase requests, and various legitimate services like OneDrive, in order to deliver an array of commodity malware families.

The loader malware, DBatLoader, has been in use since 2020, and has been used in malspam campaigns to deliver various RATs and infostealers. In these latest campaigns, the malware used several new techniques to deploy Remcos, which is used to provide backdoor access to Windows operating systems; Warzone, a remote access trojan; and the Formbook and AgentTesla information stealers. The attackers leveraged OneDrive, as well as new or compromised domains, for staging and retrieving additional payloads.

Researchers warned businesses that these recent campaigns signal a heightened risk of infection from commodity malware families associated with the loader’s activity.

“Due to the sophistication of DBatLoader phishing techniques and improvements to the malware itself, it is likely that infections with DBatLoader and follow-on payloads will rise,” said Ole Villadsen, Golo Mühr and Kat Metrick with the IBM X-Force team in an analysis this week.

The malware’s capabilities include UAC bypass and persistence tactics, various process injection techniques and process hollowing. DBatLoader also supports the injection of shellcode payloads. Additionally, in several attacks, researchers said the threat actors also used “sufficient control over the email infrastructure to enable malicious emails to pass SPF, DKIM, and DMARC email authentication methods.”

The malware is still under active development, said researchers, pointing to its latest version’s failed attempts at DLL hooking in attacks.

“DLL hooking is commonly used to bypass AMSI, however, most of DBatLoader’s current hooking implementations are flawed, rendering it ineffective,” said researchers. “The experimental coding style and frequent implementation changes suggest that some of the loader’s functionality is still a work in progress.”

While DBatLoader campaigns targeted organizations in Europe and Eastern Europe Europe earlier this year, researchers said that in this recent campaign, most of the email content appeared to be targeting English speakers (although some emails were in Spanish and Turkish). The malicious emails used either ISO images or several archive file formats (like .tar, .zip or .rar) to deliver DBatLoader. The lures of these emails, meanwhile, were related to shipping orders and billing, invoice and purchase requests or inquiries.

“To combat this, security teams are encouraged to renew vigilance around TTPs associated with DBatLoader campaigns, such as abuse of public cloud infrastructure, and characteristics of the new variants of the malware observed by X-Force,” said researchers.