The phishing campaign emails are often disguised as invoices, tender documentation, and other financial documents and are sent from top-level domains that correspond to the recipient’s country. Other than what is necessary to draw the recipient’s attention to the attachment, a tar.lz archive containing the DBatLoader program, the emails don’t contain much text. The odds of the victims successfully opening the attachment are decreased by the choice of such an unusual file type, but it also aids in avoiding detection by antivirus software and email security measures. To mislead the victim into opening it, the malware loader’s first stage payload impersonates a Microsoft Office, LibreOffice, or PDF document using double extensions and program icons. A second-stage payload is downloaded from a public cloud service, such as Microsoft OneDrive or Google Drive, after the malware loader has been launched. Although it’s unclear whether the threat actors utilized their own accounts or a hacked account with a clear history, Sentinel One states that in one instance, the cloud service was used to host DBatLoader for more than a month.
Binary Defense and SentinelOne advise system administrators to set Windows UAC to “Always Notify,” with the caveat that this may be excessively intrusive for some organizations. For trusted filesystem paths with trailing spaces, administrators should keep an eye out for suspicious file creations and process executions, especially in directories containing the string “Windows”.