Rewterz Threat Alert – UAC-0050 Threat Group Distributes Remcos RAT Using New Phishing Tactics – Active IOCs

Severity

High

Analysis Summary

A threat group called UAC-0050 has been discovered using phishing attacks to propagate Remcos RAT using novel strategies for detection evasion from antivirus software. In their latest campaign, the group uses a pipe method for interprocess communication, showing their sophistication.

Remcos RAT is a notorious malware that is used for remote access and control and has been used widely by threat actors for espionage activities. UAC-0050 has been active since 2020 and is known for targeting Polish and Ukrainian organizations using social engineering campaigns by posing as legitimate organizations to trick users into opening malicious attachments.

In February 2023, the adversary was linked to a phishing campaign distributing Remcos RAT. Since the last few months, the same trojan has been spread as part of at least three different phishing campaigns, one of which led to the deployment of an information stealer called Meduza Stealer. The latest analysis by security researchers is based on a Windows shortcut file (LNK) which was discovered on December 21, 2023. The initial access vector is currently unknown, but it is believed to have been through phishing emails that targeted Ukrainian military personnel with document lures claiming to advertise consultancy roles with the Israel Defense Forces (IDF).

The LNK file is responsible for harvesting information regarding the antivirus software installed on the target system, and then it executes an HTML application called “6.hta” from a remote server using mshta.exe, which is a Windows-native binary for executing HTA files. This way, a PowerShell script is executed which then runs another PowerShell script to download two files named “ofer.docx” and “word_update.exe” from an actor-controlled domain.

When “word_update.exe” is executed, it creates a copy of itself with the name “fmTask_dbg.exe” intending to establish persistence by creating a shortcut to the new executable in the Windows Startup folder. The binary also employs pipes that aren’t named to carry out the exchange of data between itself and a newly spawned child process for cmd.exe that can finally decrypt and launch the latest version of Remcos RAT which can collect system data, cookies, and login information from web browsers like Mozilla Firefox, Internet Explorer, and Google Chrome.

By using pipes within the Windows operating system, a covert channel for transferring data is provided which helps in detection evasion from Endpoint Detection and Response (EDR) and antivirus systems. This technique isn’t completely new but it serves as a big leap in sophistication of the threat group’s strategies.

Impact

• Sensitive Information Theft
• Cyber Espionage

Indicators of Compromise

MD5

• 56154fedaa70a3e58b7262b7c344d30a
• 9b777d69b018701ec5ad19ae3f06553f
• 7c05cfed156f152139a6b1f0d48b5cc1
• 7f87d36c989a11edf0de9af392891d89
• f5ee6aa31c950dfe55972e50e02201d3
• 5c734bb1e41fab9c7b2dabd06e27bc7b
• 8158b43f745e0e7a519458b0150e1b61
• f71ef85824f906856cb3d2205058bdd2
• 8bebea01d914a3c3a2d876417f7d1d54
• b1f8484ee01a7730938210ea6e851888

SHA-256

• f650a9f1930e55e405d7121c56b90a996ab213a05b772a8f02ceb1cdbeb91165
• 8963e1c87200d0b900f558c1968428dc3a1f05748ddeff0150297aa33d14ff88
• e4615b74d62f384d23e58bc467c615b17779e4f8084c8a0134db97a5e642027f
• c5452b859922b9633839e092f09f0ce4818b6085043360c90c0b0f2bfad9fca1
• 5fff1cd29bb6e6cfe9516b70f9f44755098392c2e2a0f4784486182c309b2c99
• bd871a2ccd6d7c4f89f9f5087e60cfdcc7ab35b670cfda7ddfd6dbbab8c8560c
• 378c219332e74786b5ce562d15a99fe021e47f1480be09b779db78ae87da9c26
• 3b78e6564c4774a6d3cd88c62e56c6705c2428e53cacb3a95713b8c399a7d7ad
• ab310316f34881a67c6df912e646203adc676d1f53a5bf43873014dfdb0d68cf
• 88f0722c907100ef09049c82032a0ac66afa153d03fb89d378ae65f6e5890a3f

SHA-1

• 31ba4f7a41dda57b4d10ebbc020db9c17012f17c
• f2d8bce46e8df36013b89e4de8bca66e3cf0de3e
• a9bc862f7143a3e34ba420d624f81a9efd1516fc
• e644bc7774cfd1beecea50fb47b8ffd32b092c30
• 502bbd516526e579b2b0d0a5aaef0a66659e7fbb
• 1bee4d678beb8928377fbc112eade1af5ec30295
• 09f678acd0ecb99e22e069661edf4fda8457e496
• f20d2dcdd6303ed23bfe9dcffe3736a6de660a74
• 5089adac80acd2d36ad9cb1cce0e4a544474269e
• 4ab9c910cfc9690b7f54eba83e30bc1fe6984297

URL

• http://new-tech-savvy.com/algo.hta

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.