The risk actor generally known as UAC-0050 is leveraging phishing assaults to distribute Remcos RAT utilizing new methods to evade detection from safety software program.
“The group’s weapon of alternative is Remcos RAT, a infamous malware for distant surveillance and management, which has been on the forefront of its espionage arsenal,” Uptycs safety researchers Karthick Kumar and Shilpesh Trivedi stated in a Wednesday report.
“Nonetheless, of their newest operational twist, the UAC-0050 group has built-in a pipe methodology for interprocess communication, showcasing their superior adaptability.”
UAC-0050, lively since 2020, has a historical past of concentrating on Ukrainian and Polish entities through social engineering campaigns that impersonate legit organizations to trick recipients into opening malicious attachments.
In February 2023, the Pc Emergency Response Group of Ukraine (CERT-UA) attributed the adversary to a phishing marketing campaign designed to ship Remcos RAT.
Over the previous few months, the identical trojan has been distributed as a part of at the very least three completely different phishing waves, with one such assault additionally resulting in the deployment of an data stealer referred to as Meduza Stealer.
The evaluation from Uptycs relies on a LNK file it found on December 21, 2023. Whereas the precise preliminary entry vector is at the moment unknown, it is suspected to have concerned phishing emails concentrating on Ukrainian army personnel that declare to promote consultancy roles with the Israel Protection Forces (IDF).
The LNK file in query collects data concerning antivirus merchandise put in on the goal laptop, after which proceeds to retrieve and execute an HTML utility named “6.hta” from a distant server utilizing mshta.exe, a Home windows-native binary for working HTA information.
This step paves the way in which for a PowerShell script that unpacks one other PowerShell script to obtain two information referred to as “word_update.exe” and “ofer.docx” from the area new-tech-savvy[.]com.
Working word_update.exe causes it to create a replica of itself with the title fmTask_dbg.exe and set up persistence by making a shortcut to the brand new executable within the Home windows Startup folder.
The binary additionally employs unnamed pipes to facilitate the alternate of knowledge between itself and a newly spawned baby course of for cmd.exe with the intention to in the end decrypt and launch the Remcos RAT (model 4.9.2 Professional), which is able to harvesting system information and cookies and login data from net browsers like Web Explorer, Mozilla Firefox, and Google Chrome.
“Leveraging pipes inside the Home windows working system gives a covert channel for information switch, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus techniques,” the researchers stated.
“Though not fully new, this method marks a major leap within the sophistication of the group’s methods.”
