Skip to content

ESET Research investigates phishing campaigns employing infostealers against businesses in Poland, Romania, and Italy

  • ESET detected nine notable ModiLoader phishing campaigns during May 2024 in Poland, Romania, and Italy.
  • These campaigns targeted small and medium-sized businesses.
  •  Seven of the campaigns targeted Poland, where ESET products protected over 21,000 users from these attacks.
  • Attackers deployed three infostealer malware families via ModiLoader: Rescoms, Agent Tesla, and Formbook.
  • Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data. 

BRATISLAVAJuly 30, 2024 — ESET researchers investigated nine widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland, Romania, and Italy during May 2024, distributing various malware families. In comparison with the previous year, the attackers targeting the region shifted away from AceCryptor to ModiLoader as their delivery tool of choice and added more malware as well. Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data. In May 2024 alone, ESET products protected over 26,000 users – over 21,000 (80%) of whom were in Poland – against this threat.

“In total we registered nine phishing campaigns, seven of which targeted Poland throughout May,” says Jakub Kaloč, who analyzed the phishing campaigns. “The final payload to be delivered and launched on the compromised machines varied; we’ve detected campaigns delivering the information stealing Formbook; the remote access trojan and information stealer Agent Tesla; and Rescoms RAT, which is remote control and surveillance software that is able to steal sensitive information,” he adds.

In general, all the campaigns followed a similar scenario. The targeted company received an email message with a business offer. As in the phishing campaigns of H2 2023, attackers impersonated existing companies and their employees as the technique of choice to increase their campaign success rate. In this way, even if the potential victim looked for the usual red flags (aside from potential translation mistakes), they just weren’t there, and the email looked as legitimate as it could have.

Emails from all campaigns contained a malicious attachment that the potential victim was incentivized to open, based on the text of the email. The file itself was either an ISO file or archive with the ModiLoader executable. ModiLoader is a Delphi downloader with a simple task – to download and launch malware. In two of the campaigns, ModiLoader samples were configured to download the next-stage malware from a compromised server belonging to a Hungarian company. In the rest of the campaigns, ModiLoader downloaded the next stage from Microsoft’s OneDrive cloud storage.

For more information about the ModiLoader campaigns, read the blogpost “Phishing targeting Polish SMBs continues via ModiLoader” on WeLiveSecurity-com.  Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Chain of compromise of ModiLoader phishing campaigns in Poland during May 2024.


About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

How Distilled upgraded its legacy VPN with a cloud-based solution for remote network access

Founded in 1997, Distilled emerged as a pioneering real estate platform designed to simplify the property search for buyers in Ireland. Over the years, the company expanded through acquisitions and partnerships, such as Daft.ie, DoneDeal.ie and Adverts.ie, and became part of the international group, Adevinta. Today, Distilled focuses on managing these major brands within Ireland, offering comprehensive real estate and classified advertisement services.

Profile of Distilled

Being established in the 90s means that the technological stack is based on bespoke applications not fully compatible with all types of modern security platforms. The dedicated team had to manually configure, maintain, and upgrade the company’s physical infrastructure whether it was holidays, weekends, or after-hours. Transitioning to a modern company mindset, Distilled had to change its approach — IT Operations Manager Joe O’Brien shared how it happened.

The challenge

Complex infrastructure support for remote teams

Key pain points

As the global pandemic shifted work from office to home, Distilled faced significant challenges with their legacy applications, which were accessible only through an office IP address.

“When COVID hit, employees were scattered across the country. To access our internal systems, we were using our office VPN to provide our users secure IP access —that’s what we’ve been using for the last couple of years.”

Click to tweet

This setup granted employees access to essential systems, enabling productivity across dispersed locations. However, working with legacy applications required extra labor to support them, expanding the work scope for the IT team.

“There’s a lot of infrastructure which we have to maintain: local internet, firewalls, access servers and connections between our office to remote locations. Infrastructure was too complex, had too many fail points, and was not designed as a full-time solution for all employees working remotely.”

Click to tweet

The situation called for a revision of the existing technology stack. It was necessary to exchange complex applications with solutions that are easy to use and don’t require hands-on presence. These changes enabled remote teams to access the company network securely.

The solution

Focus on a simple and secure solution

Main criteria choosing the solution

Distilled turned to NordLayer to address their connectivity and security challenges. By implementing NordLayer’s dedicated server option, the company secured a fixed IP address, simplifying remote access without the need for complex and unreliable VPN setups.

“We looked into a solution that was simple and guaranteed a fixed IP address for all of our employees. We could then use that IP as one of the security checks on our systems to grant remote workers access. NordLayer checked all the boxes I had in mind.”

Click to tweet

The integration with Distilled’s Identity and Access Management solution ensured that only company-managed devices could access these systems, enhancing overall security.

“Integration with our IAM system allowed us to quickly onboard all staff, utilising 2FA access to NordLayer from company-managed devices, and assign a fixed IP address as a secure configuration.”

Click to tweet

Distilled has a layered security strategy, one of which is based on fixed IP addresses to confirm and control user access. This way the IT team can coordinate permissions, manage employee accounts, and ensure that the company network is under a sufficient security layer.

Moreover, the company settled for 2 dedicated servers so they can rest assured that if the primary server goes down or is overloaded, the backup server will help maintain service levels unimpacted.

Why choose NordLayer

NordLayer was selected for its simplicity, reliability, and ease of integration. Unlike other solutions that required additional infrastructure, NordLayer offered a straightforward, out-of-the-box solution.

“The internal infrastructure team maintains and manages the application systems, while the IT team looks after the access security, ensuring that our employees get into the network with ease. NordLayer takes the complexity away from providing our end users with these services.”

Click to tweet

It allowed the IT team at Distilled to deploy a secure access system in minutes, significantly reducing the administrative overhead associated with managing traditional VPN solutions.

A hardware-free solution to securely connect to the company network

Scheme

Distilled was looking for an easy way to give all their end users a single fixed IP address for the whole company. Other systems they looked at required adding additional infrastructure into their offices, which the team had to manage themselves. With NordLayer, it’s all included.

The outcome

Removing the complexity for the user and IT team

The benefits of implementing NordLayer

The adoption of NordLayer has led to a more flexible and secure remote working environment at Distilled. Employees now enjoy seamless access to critical applications without the hassles of a traditional VPN.

“The setup from a client perspective was very easy: download the app, click on the SSO login button to and you are in.”

Click to tweet

The solution has proven reliable, with no significant downtime reported, allowing the IT team to focus on more strategic tasks rather than maintaining complex network infrastructures.

“NordLayer saved so much time and it takes so much pressure off our small IT team. VPN support was needed outside of normal working hours. Previously, any time our VPN would drop, someone needed to go to the site to fix the issue. Now that we have NordLayer, it just works all the time.”

Click to tweet

Moreover, the IT Operations Manager got a lot of positive feedback from users that the app runs in the background, it doesn’t interfere with their work and he himself has nothing to worry about.

Pro cybersecurity tips

In cybersecurity, you have to know the drill. How to practise security, prevent data breaches, and stay out of the bad actors’ radar. To achieve it you don’t have to climb mountains, just be cautious and aware. Here are some tips on how Joe O’Brien, Distilled IT Operations Manager, practices security on a daily basis and you are welcome to join these activities.

Quote

Through strategic use of technology and a focus on security, Distilled has not only adapted to remote work challenges but has also positioned itself as a leader in using cybersecurity solutions to enhance business operations.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

The Need for Automatic, Unified Detection and Response for MSPs Protecting Small Businesses

Navigating the Landscape of Cybersecurity: Understanding EDR, SIEM, SOAR, XDR, and MDR 

In the rapidly evolving landscape of cybersecurity, acronyms such as EDR, SIEM, SOAR, XDR, and MDR are becoming increasingly familiar. However, their distinct functionalities and the specific roles they play in enhancing organizational security can sometimes be confusing. This article aims to demystify these terms and elucidate how each contributes to a robust cybersecurity strategy.

Endpoint Detection and Response (EDR)

EDR solutions are designed to monitor and respond to threats at the endpoint level. This involves continuously collecting data from endpoint devices and analyzing it for signs of malicious activity. When a threat is detected, EDR systems can contain and mitigate it, often in real-time. A crucial aspect of EDR is its investigation capabilities, which include accessing historical data and enabling proactive threat hunting. The key strengths of EDR lie in its ability to provide detailed visibility into endpoint activities, enabling swift identification and response to potential threats. By focusing on endpoints, EDR ensures that individual devices are not only monitored but also protected against advanced persistent threats and malware.

Security Information and Event Management (SIEM)

SIEM systems aggregate and analyze log data from a wide range of sources within an organization’s IT infrastructure. By normalizing and correlating events from different systems, SIEM can identify patterns that might indicate a security incident. SIEM solutions provide a centralized view of an organization’s security posture, offering real-time monitoring and historical analysis. They are invaluable for compliance reporting and forensic investigations, as they can trace the steps of an attacker through the network. However, SIEMs tend to be labor-intensive and require security experts to operate them effectively. The primary advantage of SIEM is its ability to provide comprehensive insights into security events across the entire IT environment, thereby enabling more informed decision-making and strategic planning.

Security Orchestration, Automation, and Response (SOAR)

SOAR platforms enhance the efficiency and effectiveness of security operations by automating routine tasks and orchestrating complex workflows. By integrating with various security tools, SOAR can streamline incident response processes, from initial alerting to remediation. This automation not only reduces the burden on security teams but also ensures a faster and more consistent response to threats. Additionally, SOAR platforms facilitate collaboration and coordination among different security functions, fostering a more cohesive and proactive security posture.

Extended Detection and Response (XDR)

XDR represents an evolution in threat detection and response, integrating data from multiple security layers, including endpoints, networks, servers, and applications. This holistic approach allows for more accurate detection of sophisticated threats that may evade traditional security measures. XDR solutions are designed for large enterprise environments running many different tools managed by different teams. They provide a unified platform for threat detection, investigation, and response, breaking down silos between different security tools and offering a more comprehensive view of an organization’s security landscape. The primary benefit of XDR is its ability to deliver correlated insights and actionable intelligence, enhancing the organization’s ability to detect and respond to advanced threats effectively.

Managed Detection and Response (MDR)

MDR services offer a managed approach to threat detection and response, combining advanced technology with human expertise. These services provide continuous monitoring and analysis of security threats, along with proactive threat hunting and incident response. MDR is particularly valuable for organizations that lack the in-house resources or expertise to effectively manage their security operations. By outsourcing these functions to specialized providers, businesses can ensure a high level of security while focusing on their core operations. MDR services are designed to provide rapid detection and response to threats, minimizing the potential impact of security incidents.

The Need for Automatic, Unified Detection and Response for MSPs Protecting SMBs

“Automatic detection and response systems minimize the time to detect and respond to threats, reducing potential damage and operational disruption. Unified platforms ensure seamless communication and coordination among different security tools, providing a holistic view of the security landscape and enabling more effective threat management”

In today’s dynamic threat environment, businesses require solutions that offer automatic and unified detection and response capabilities. The integration of capabilities that exist within Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Extended Detection and Response (XDR), and Managed Detection and Response (MDR) solutions enables organizations to achieve a cohesive and comprehensive security posture. Automatic detection and response systems minimize the time to detect and respond to threats, reducing potential damage and operational disruption. Unified platforms ensure seamless communication and coordination among different security tools, providing a holistic view of the security landscape and enabling more effective threat management.

The Role of MSPs in SMB Security

Managed Service Providers (MSPs) play a critical role in safeguarding Small and Medium-sized Businesses (SMBs). SMBs often lack the resources and expertise to manage complex security infrastructures on their own. MSPs fill this gap by offering specialized security services that are both cost-effective and robust. However, the increasing volume and sophistication of cyber threats necessitate the adoption of more advanced security measures.

Importance of Automatic Detection and Response

  1. Efficiency and Scalability: Automatic detection and response systems powered by artificial intelligence (AI) enable MSPs to protect more clients without a proportional increase in resources. These systems can handle large volumes of data and analyze it in real-time, identifying threats that manual processes might miss. This scalability is crucial for MSPs managing multiple SMBs, ensuring each client receives the same high level of protection.
  2. Speed and Accuracy: The speed at which threats are detected and responded to can significantly impact the extent of damage. Automatic systems reduce the time from detection to response, often mitigating threats before they cause significant harm. AI-driven solutions can identify patterns and anomalies faster and more accurately than human analysts, ensuring quicker containment and resolution of threats.
  3. 24/7 Monitoring and Response: Cyber threats can occur at any time, making continuous monitoring essential. Automatic systems provide round-the-clock surveillance, ensuring that potential threats are detected and addressed promptly, regardless of when they occur. This constant vigilance is particularly valuable for SMBs, which may not have the resources to maintain a full-time, in-house security team.

Unified Platforms for Cohesive Security

  1. Seamless Integration: Unified detection and response platforms integrate various security tools and technologies into a single, cohesive system. This integration ensures that all components work together seamlessly, providing a comprehensive view of the security landscape. For MSPs, this means easier management and coordination of security measures across multiple clients.
  2. Improved Communication and Coordination: Unified platforms facilitate better communication and coordination among different security tools. This interoperability allows for more efficient threat management, as information and alerts from various sources are consolidated into a single dashboard. MSPs can quickly assess the security status of all their clients and respond to threats in a coordinated manner.
  3. Holistic Threat Management: By unifying detection and response capabilities, MSPs can offer a more holistic approach to threat management. This approach not only addresses immediate threats but also identifies underlying vulnerabilities and trends, allowing for proactive measures to be implemented. SMBs benefit from a more resilient and adaptable security posture, capable of withstanding evolving cyber threats.

 

The Impact of AI on Cybersecurity

Artificial Intelligence (AI) has revolutionized the field of cybersecurity by enhancing the capabilities of detection and response systems. AI-driven solutions can analyze vast amounts of data in real-time, identifying patterns and anomalies that may indicate a security threat. Machine learning algorithms enable these systems to continuously improve their accuracy and efficiency, adapting to new and evolving threats. AI-powered automation in SOAR and XDR platforms accelerates incident response times and reduces the burden on security teams. Moreover, AI-driven threat intelligence provides actionable insights, enabling proactive threat hunting and more informed decision-making.

Guardz: Unified Security for MSPs and SMBs

“Guardz leverages AI to enable automatic detection and response, seamlessly connecting the dots between different incidents or events derived from our comprehensive security stack. This ensures swift identification and mitigation of threats”

Guardz offers a unique solution tailored for Managed Service Providers (MSPs) to secure Small and Medium-sized Businesses (SMBs). Our platform provides a unified approach to cybersecurity, combining many of the functionalities into a single, cohesive system. Guardz leverages AI to enable automatic detection and response, seamlessly connecting the dots between different incidents or events derived from our comprehensive security stack. This ensures swift identification and mitigation of threats. By streamlining security operations through a unified platform, Guardz allows MSPs to efficiently manage their clients’ security needs, providing comprehensive protection and peace of mind. Our solution is designed to reduce complexity, enhance threat visibility, and ensure rapid response, making it an ideal choice for MSPs aiming to secure SMBs against evolving cyber threats. Join hundreds of MSPs on our community and start a 14 days free trial

Conclusion

In today’s environment, the need for automatic detection and response to protect small and medium-sized businesses has never been greater. As cyber threats continue to rise and grow in sophistication, Managed Service Providers (MSPs) must be equipped with powerful tools to tackle these challenges.

Understanding the distinct roles of EDR, SIEM, SOAR, XDR, and MDR is crucial for developing a comprehensive cybersecurity strategy. Each of these solutions addresses different aspects of security, from endpoint protection and event correlation to automated response and integrated threat detection. By leveraging the strengths of these technologies and embracing AI-driven advancements, organizations can build a more resilient and adaptive defense against the ever-evolving threat landscape.

For small and medium businesses, which are often targeted due to their perceived vulnerabilities, staying informed about the latest advancements in security technology is essential. Embracing a multi-faceted approach to cybersecurity ensures that these organizations are well-equipped to protect their critical assets and maintain business continuity. Automatic detection and response capabilities, powered by AI, are not just beneficial but necessary to swiftly identify and mitigate threats, providing robust protection in an increasingly dangerous digital world.

Start Free Trial

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Guardz
Guardz is on a mission to create a safer digital world by empowering Managed Service Providers (MSPs). Their goal is to proactively secure and insure Small and Medium Enterprises (SMEs) against ever-evolving threats while simultaneously creating new revenue streams, all on one unified platform.

Start Free Trial
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×