Ukrainian entities primarily based in Finland have been focused as a part of a malicious marketing campaign distributing a business distant entry trojan generally known as Remcos RAT utilizing a malware loader known as IDAT Loader.
The assault has been attributed to a menace actor tracked by the Pc Emergency Response Workforce of Ukraine (CERT-UA) below the moniker UAC-0184.
“The assault, as a part of the IDAT Loader, used steganography as a method,” Morphisec researcher Michael Dereviashkin mentioned in a report shared with The Hacker Information. “Whereas steganographic, or ‘Stego’ strategies are well-known, you will need to perceive their roles in protection evasion, to higher perceive how you can defend in opposition to such ways.”
IDAT Loader, which overlaps with one other loader household known as Hijack Loader, has been used to serve extra payloads like DanaBot, SystemBC, and RedLine Stealer in current months. It has additionally been utilized by a menace actor tracked as TA544 to distribute Remcos RAT and SystemBC through phishing assaults.
The phishing marketing campaign – first disclosed by CERT-UA in early January 2024 – entail utilizing war-themed lures as a place to begin to kick-start an an infection chain that results in the deployment of IDAT Loader, which, in flip, makes use of an embedded steganographic PNG to find and extract Remcos RAT.
The event comes as CERT-UA revealed that protection forces within the nation have been focused through the Sign on the spot messaging app to distribute a booby-trapped Microsoft Excel doc that executes COOKBOX, a PowerShell-based malware that is able to loading and executing cmdlets. CERT-UA has attributed the exercise to a cluster dubbed UAC-0149.
It additionally follows the resurgence of malware campaigns propagating PikaBot malware since February 8, 2024, utilizing an up to date variant that seems to be at present below energetic growth.
“This model of the PikaBot loader makes use of a brand new unpacking methodology and heavy obfuscation,” Elastic Safety Labs mentioned. “The core module has added a brand new string decryption implementation, modifications to obfuscation performance, and numerous different modifications.”
