A menace actor identified for repeatedly focusing on organizations in Ukraine with the RemcosRAT distant surveillance and management software is again at it once more, this time with a brand new tactic for transferring information with out triggering endpoint detection and response programs.
The adversary, tracked as UNC-0050, is targeted on Ukrainian authorities entities in its newest marketing campaign. Researchers at Uptycs who noticed it mentioned the assaults could also be politically motivated, with the purpose of amassing particular intelligence from Ukrainian authorities businesses. “Whereas the potential for state sponsorship stays speculative, the group’s actions pose an simple danger, particularly to authorities sectors reliant on Home windows programs,” Uptycs researchers Karthickkumar Kathiresan and Shilpesh Trivedi wrote in a report this week.
The RemcosRAT Menace
Menace actors have been utilizing RemcosRAT — which began life as a legit distant administration software — to manage compromised programs since not less than 2016. Amongst different issues, the software permits attackers to collect and exfiltrate system, person, and processor data. It may bypass many antivirus and endpoint menace detection instruments and execute a wide range of backdoor instructions. In lots of cases menace actors have distributed the malware in attachments in phishing emails.
Uptycs has not been capable of decide the preliminary assault vector within the newest marketing campaign simply but however mentioned it’s leaning towards job-themed phishing and spam emails as most probably being the malware distribution technique. The safety vendor based mostly its assessments on emails it reviewed that purported to supply focused Ukrainian army personnel with consultancy roles at Israel’s Protection Forces.
The an infection chain itself begins with a .lnk file that gathers details about the compromised system after which retrieves an HTML app named 6.hta from an attacker-controlled distant server utilizing a Home windows native binary, Uptycs mentioned. The retrieved app comprises a PowerShell script that initiates steps to obtain two different payload recordsdata (word_update.exe and ofer.docx) from an attacker-controlled area and — in the end — to put in RemcosRAT on the system.
A Considerably Uncommon Tactic
What makes UNC-0050’s new marketing campaign completely different is the menace actor’s use of a Home windows interprocess communications function referred to as nameless pipes to switch information on compromised programs. As Microsoft describes it, an nameless pipe is a one-way communications channel for transferring information between a father or mother and a toddler course of. UNC-0050 is profiting from the function to covertly channel information with out triggering any EDR or antivirus alerts, Kathiresan and Trivedi mentioned.
UNC-0050 just isn’t the primary menace actor to make use of pipes to exfiltrate stolen information, however the tactic stays comparatively uncommon, the Uptycs researchers famous. “Though not completely new, this system marks a major leap within the sophistication of the group’s methods,” they mentioned.
That is removed from the primary time that safety researchers have noticed UAC-0050 making an attempt to distribute RemcosRAT to targets in Ukraine. On a number of events final yr, Ukraine’s Pc Emergency Response Staff (CERT-UA) warned of campaigns by the menace actor to distribute the distant entry Trojan to organizations within the nation.
The latest was an advisory on Dec. 21, 2023, a few mass phishing marketing campaign involving emails with an attachment that purported be a contract involving Kyivstar, considered one of Ukraine’s largest telecommunications suppliers. Earlier in December, CERT-UA warned of one other RemcosRAT mass distribution marketing campaign, this one involving emails purporting to be about “judicial claims” and “money owed” focusing on organizations and people in Ukraine and Poland. The emails contained an attachment within the type of an archive file or RAR file.
CERT-UA issued related alerts on three different events final yr, one in November with court docket subpoena-themed emails serving because the preliminary supply car; one other, additionally in November, with emails allegedly from Ukraine’s safety service; and the primary in February 2023 a few mass e mail marketing campaign with attachments that seemed to be related to a district court docket in Kyiv.
