Cybercriminals have shifted tactics from AceCryptor to ModiLoader in recent phishing campaigns targeting Central and Eastern Europe, particularly Poland, which were active in May 2024 and compromised small and medium-sized businesses, delivering Rescoms, Agent Tesla, and Formbook malware payloads.
Attackers leveraged compromised infrastructure for email distribution, malware hosting, and data exfiltration, underscoring the ongoing threat to these organizations. Poland was the primary target of ModiLoader’s phishing attacks in May 2024, with Italy and Romania also suffering.
Unlike late 2023 campaigns using AceCryptor, these attacks delivered Formbook, Agent Tesla, and Rescoms malware via ModiLoader to steal sensitive information from over 26,000 users, with 80% of victims located in Poland.
The attackers employed a consistent phishing playbook in May 2024 by impersonating legitimate businesses, sending emails with seemingly genuine business proposals and attaching malicious documents containing ModiLoader.
These emails often used simple language and avoided obvious red flags, making them appear authentic, which, combined with the use of ModiLoader, significantly increased the campaign’s success rate.
Attackers employed ISO files containing ModiLoader executables or RAR archives with obfuscated batch scripts decoding embedded ModiLoader binaries to initiate infections.
The phishing campaigns leveraged compromised servers and OneDrive accounts to host and distribute subsequent malware payloads, including Formbook, Agent Tesla, and Rescoms, targeting victims primarily in Poland.
Agent Tesla, Rescoms, and Formbook, deployed as final payloads, specialize in data exfiltration, enriching threat actors’ intelligence for subsequent attacks, where the campaigns showcased diverse exfiltration methods.
One notable tactic involved SMTP transmission to a typosquatted domain masquerading as a German company, echoing a strategy previously observed in Rescoms attacks, which demonstrates the evolution of threat actor techniques, repurposing successful methods.
Alternatively, data was exfiltrated to a Romanian guest house’s web server, likely compromised in prior campaigns, highlighting the exploitation of compromised infrastructure for persistent malicious activities and underscoring the complex nature of modern cyber threats.
According to ESET Research, cybercriminals will continue targeting small and medium-sized businesses in Central and Eastern Europe, particularly Poland, with ModiLoader-based phishing attacks in the first half of 2024.
These campaigns, delivering malware like Rescoms, Agent Tesla, and Formbook, exploit compromised systems to spread further, demonstrating adaptability in malware choice and a persistent threat landscape.