The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime, Remcos campaign via DBatLoader
Remcos campaign via DBatLoader. The rar attachment contains an exe: the loader, which contacts a url and downloads the final malware
Remcos is conveyed by the email with the subject “RE: Document Required – Al Ansari & Partners Trading Co/Supplier No : 400667322” via DBatLoader (alias ModiLoader and NatsoLoader).
The rar attachment contains an exe: the loader, which contacts a url and downloads the final malware. Remcos is a cybercrime Remote Access Trojan (RAT), mainly associated with courier-themed phishing campaigns and with a wide range of functions: such as closely monitoring user activities, recording audio and video content, capturing of credentials, stealing digital currency, downloading additional payloads, and exfiltrating confidential data by avoiding detection and sandboxes.