The notorious cybercrime gang UAC-0050 has recently updated its attacks to utilize a whole new set of phishing techniques to spreadremote-control Trojan horse (Trojan horse) Remcos RATthat attempts to bypass security software checks.Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi, in a report released on Wednesday, stated, "Remcos RAT has been the main weapon of UAC-0050, a malware that is known for its remote monitoring and control capabilities known for its remote monitoring and control capabilities, and is a powerful tool for its espionage operations."
"However, in the latest attack, UAC-0050 introduces a pipeline communication method for inter-process communication, demonstrating its high level of adaptability."
UAC-0050 has been active since 2020 and has been targeting Ukrainian and Polish entities by masquerading as a legitimate organization of thesocial engineeringmeans to trick victims into opening malicious attachments.
In February 2023, the Ukrainian Computer Emergency Response Team (CERT-UA) linked the organization to a phishing campaign spreading Remcos RAT. Over the past few months, UAC-0050 has launched at least three differentphishing attack (computing)One of these deployments was also the Meduza Stealer.information theftTools.
Uptycs' analysis is based on an LNK file discovered on 12/21/2023. While it is unclear exactly how the initial intrusion took place, it is suspected that the file may have been sent via phishing emails targeting the Ukrainian military, which claimed to offer consulting positions with the Israel Defense Forces (IDF).
This LNK file collects information about the antivirus software installed on the target computer and then uses the Windows local binary file mshta.exe to retrieve and execute an HTML application named "6.hta" from the remote server. This step paves the way for running a PowerShell script that extracts another PowerShell script from the new-tech-savvy[.] com domain to download two files named "word_update.exe" and "ofer.docx".
Running word_update.exe causes it to create a copy of itself under the name fmTask_dbg.exe, which is persistent by creating a shortcut to the new executable in the Windows startup folder.
The binary also uses an unnamed pipe to facilitate the exchange of data between itself and the generated cmd.exe sub-process, eventually decrypting and launching Remcos RAT (version 4.9.2 Pro), a Trojan that is capable of stealing system data, cookies, and login information from web browsers such as Internet Explorer, Mozilla Firefox and Google Chrome).
The researchers said, "The use of pipes in the Windows operating system provides a covert data transfer channel that cleverly bypasses detection by endpoint detection and response (EDR) and antivirus systems. While the technique is not entirely novel, it marks an important step in the sophistication of the organization's attack methods."
Original article by SnowFlake, if reproduced, please credit https://cncso.com/en/uac-0050-group-new-phishing-tactics-to-distribute-remcos-rat.html
