Morphisec Threat Labs has shared details of a new campaign that used steganography techniques to deliver the Remcos RAT onto the systems of a Ukrainian entity operating in Finland. The campaign, attributed to a hacking group named UAC-0184, used a relatively new IDAT Loader to drop the trojan.
Modus operandi
According to researchers, the attack sequence commenced with carefully crafted phishing emails, purportedly camouflaging Ukraine’s 3rd Separate Assault Brigade and the Israel Defense Forces.
- The email tricked the recipients into opening an attached shortcut file, subsequently leading to the download of IDAT Loader.
- To maintain stealthiness, API calls were not directly written in plaintext within the code, instead, they were resolved at runtime using a decryption key integrated into the attack chain.
- The final stage entailed the decryption and execution of the Remcos RAT, a commonly used backdoor by hackers to facilitate stealthy data theft and victim activity monitoring.
Capabilities of IDAT Loader
- Morphisec identified IDAT as an advanced loader that loads various malware families such as Danabot, SystemBC, and RedLine Stealer.
- It employs sophisticated techniques such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls to evade detection.
Remcos refines its distribution method
- The incident comes a few weeks after ASEC discovered that Remcos RAT is being distributed disguised as adult games through webhards.
- Prior to that, a new version of Remcos RAT tracked as v4.2.0 was found being dropped via an NSIS installer file.
Conclusion
The complete list of the IOCs for the current campaign can be found in a report shared by CERT-UA. Furthermore, researchers highlight that organizations must deploy behavioral-based endpoint protection solutions as an additional layer of security to thwart such attacks.