The threat actor tracked as UAC-0184 has been using steganography techniques to deliver the Remcos remote access Trojan (RAT) via a relatively new malware known as the IDAT Loader, to a Ukrainian target based in Finland.
Although the adversary initially targeted entities in Ukraine, defenses thwarted the delivery of the payload. That led to a subsequent search for alternate targets, according to an analysis out today from Morphisec Threat Labs.
While Morphisec didn’t disclose campaign details due to customer confidentiality, researchers pointed Dark Reading to parallel campaigns allegedly by UAC-0148 that used email and spear-phishing as the initial access vector, with lures that dangled job offers targeting Ukrainian military personnel for consultancy roles with the Israel Defense Forces (IDF).
The goal was cyber espionage: The Remcos (short for “Remote Control and Surveillance”) RAT is used by cybercriminals to gain unauthorized access to a victim’s computer, remotely control infected systems, steal sensitive information, execute commands, and more.
IDAT Loader: A New Remcos RAT Infection Routine
This specific campaign, first discovered in January, leverages a nested infection approach, starting with piece of code with the novel user-agent tag “racon,” which fetches the second-stage payload and performs connectivity checks and campaign analytics.
Morphisec identified that payload as the IDAT Loader, aka HijackLoader, which is an advanced loader that has been observed to work with multiple malware families, the researchers explain. It was first observed in late 2023.
IDAT refers to the “image data” chunk within a Portable Network Graphics (PNG) image file format. True to its name, the loader locates and extracts the Remcos RAT code, which is smuggled onto a victim machine within the IDAT block of an embedded steganographic .PNG image.
Steganography actors hide malicious payloads within seemingly innocuous image files to evade detection by security measures. Even if the image file undergoes scanning, the fact that the malicious payload is encoded makes it undetectable, enabling the malware loader to drop the image, extract the hidden payload, and execute it in memory.
“The user is not intended to see the PNG image,” the researchers explain. “The image used in this specific attack was visually distorted. The initial download was an executable named DockerSystem_Gzv3.exe, delivered as a fake software installation package. Activation of the executable led to the subsequent attack stages.”
RAT Malware Nests Proliferate
Remcos RAT is being increasingly deployed using creative techniques. Earlier this year, for instance, researchers discovered a threat actor tracked as UNC-0050, known for repeatedly targeting organizations in Ukraine with Remcos RAT, targeting the country’s government in a novel attack using a rare data transfer tactic.
Meanwhile, a rise in affordable malware “meal kits” priced under $100 is driving an increase in campaigns utilizing RATs in general, which are frequently concealed within seemingly legitimate Excel and PowerPoint files attached to emails.
Remcos RAT spyware has also been discovered in the past year targeting organizations in Eastern Europe by leveraging an old Windows UAC bypass technique, as well as in a campaign last March and April targeting accountants ahead of the deadline for filing taxes in the United States.
“As observed in the latest attack, threat actors are increasingly using defense evasion techniques to bypass detection by signature and behavioral-based endpoint protection solutions,” the Morphisec researchers tell Dark Reading. “In this case we observed a combined usage of steganography and memory injection as evasive techniques.”
They add, “therefore, security leaders should consider these changes in the threat landscape and consider adoption solutions that can enhance their defense in depth by reducing exposure to such potential attacks.”
Tara Seals contributed to this report.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- Source: https://www.darkreading.com/cyberattacks-data-breaches/uac-0184-targets-ukrainian-entity-finland-remcos-rat
- :has
- :is
- :not
- 2023
- a
- access
- According
- Activation
- actor
- actors
- add
- Adoption
- advanced
- adversary
- ahead
- aka
- allegedly
- also
- an
- analysis
- analytics
- and
- approach
- April
- ARE
- AS
- attached
- attack
- Attacks
- based
- been
- being
- Block
- by
- bypass
- Campaign
- Campaigns
- CAN
- case
- Changes
- Checks
- code
- combined
- computer
- confidentiality
- Connectivity
- Consider
- consultancy
- contributed
- control
- country
- Creative
- customer
- cyber
- cybercriminals
- Dark
- Dark reading
- data
- deadline
- Defense
- defenses
- deliver
- delivered
- delivery
- deployed
- depth
- details
- Detection
- didn
- Disclose
- discovered
- download
- driving
- Drop
- due
- Earlier
- eastern
- eastern europe
- emails
- embedded
- enabling
- Endpoint
- Endpoint Protection
- enhance
- entities
- entity
- espionage
- Ether (ETH)
- Europe
- evade
- evasion
- Even
- Excel
- execute
- Explain
- Exposure
- extract
- Extracts
- fact
- fake
- families
- File
- Files
- Filing
- Finland
- First
- For
- Forces
- format
- frequently
- from
- Gain
- General
- goal
- Government
- graphics
- Hidden
- Hide
- HTTPS
- identified
- IDF
- if
- image
- in
- Increase
- increasingly
- infected
- infection
- information
- initial
- initially
- installation
- instance
- intended
- Israel
- IT
- ITS
- January
- Job
- jpg
- known
- Labs
- landscape
- Last
- Late
- latest
- leaders
- Led
- legitimate
- leverages
- loader
- machine
- MAKES
- malicious
- malware
- March
- measures
- Memory
- Military
- more
- multiple
- name
- Named
- nested
- network
- New
- novel
- observed
- of
- Offers
- Old
- onto
- organizations
- out
- package
- past
- performs
- Personnel
- piece
- plato
- Plato Data Intelligence
- PlatoData
- portable
- potential
- protection
- RARE
- RAT
- Reading
- reducing
- refers
- relatively
- remote
- remote access
- remotely
- REPEATEDLY
- report
- researchers
- Rise
- roles
- routine
- s
- scanning
- Search
- security
- security measures
- see
- seemingly
- sensitive
- Short
- should
- signature
- Software
- Solutions
- specific
- Sponsored
- spyware
- stages
- Starting
- States
- subsequent
- such
- surveillance
- Systems
- T
- TAG
- Target
- targeted
- targeting
- targets
- Taxes
- techniques
- tell
- that
- The
- their
- therefore
- These
- this
- this year
- threat
- threat actors
- to
- today
- tracked
- transfer
- Trojan
- true
- Ukraine
- Ukrainian
- unauthorized
- under
- undergoes
- United
- United States
- Usage
- used
- User
- using
- Utilizing
- vector
- via
- Victim
- visually
- was
- we
- WELL
- which
- windows
- with
- within
- Work
- year
- zephyrnet
