Researchers have observed almost two dozen email campaigns since late June that use a combination of a known malware loader, lures related to shipping orders and purchase requests, and various legitimate services like OneDrive, in order to deliver an array of commodity malware families.
The loader malware, DBatLoader, has been in use since 2020, and has been used in malspam campaigns to deliver various RATs and infostealers. In these latest campaigns, the malware used several new techniques to deploy Remcos, which is used to provide backdoor access to Windows operating systems; Warzone, a remote access trojan; and the Formbook and AgentTesla information stealers. The attackers leveraged OneDrive, as well as new or compromised domains, for staging and retrieving additional payloads.
Researchers warned businesses that these recent campaigns signal a heightened risk of infection from commodity malware families associated with the loader’s activity.