Remcos campaign via DBatLoader/Modiloader. The xz attachment contains an exe: the loader, which contacts a url and downloads the final malware

Remcos is conveyed by the email with the subject “RE: NEW SHIPMENT DOCS TO DENMARK , KS/29/2022-23 JOB NO@2061” via DBatLoader (alias ModiLoader and NatsoLoader).

The xz attachment contains an exe: the loader, which contacts a url and downloads the final malware. Remcos is a cybercrime Remote Access Trojan (RAT), mainly associated with courier-themed phishing campaigns and with a wide range of functions: such as closely monitoring user activities, recording audio and video content, capturing of credentials, stealing digital currency, downloading additional payloads, and exfiltrating confidential data by avoiding detection and sandboxes.

Malware C2 – DBatLoader and Remcos