The Ukrainian CERT-UA (Computer Emergency Response Team) has issued a warning about potential cyberattacks against Ukrainian governmental institutions using the authorized remote access program Remcos. The agency has identified the threat actor behind the widespread phishing campaign as UAC-0050 and based on the toolset used, they believe the action was probably spy-related.
The fake emails that begin the infection chain contain a fake RAR archive and purport to be from the Ukrainian telecom business Ukrtelecom. The file contains two files: a text file providing the password to open the password-protected RAR archive, which is over 600MB in size, and a password-protected RAR archive, which is less than 600MB in size.
The second RAR bundle contains an executable that launches the Remcos remote access program and gives the attacker complete control over the infected systems. Breaking Security provides Remcos, also known as remote control and surveillance software, for free or in a commercial edition for a price ranging from €58 to €945.
It is described as a “lightweight, quick, highly adaptable Remote Administration Tool with a wide array of functions” by the Italian business.
The most recent CERT-UA advice was released as the Ukrainian State Cyber Protection Centre (SCPC) blamed Gamaredon, a Russian state-sponsored threat actor, for his focused attacks against public institutions and vital information infrastructure.
Attack Analysis of the Malicious UAC-0050 Spreading Remcos Malware
The remote access program Remcos was created by BreakingSecurity, which is a German. After being installed, the tool creates a backdoor on the compromised system, giving the remote user unrestricted access. Attackers have been actively using Remcos RAT in phishing attempts since 2020 that take advantage of the COVID-19 subject.
In their adversary campaigns, the malware operators use Remcos to spy on their victims, steal their credentials and data, and execute commands. The most recent CERT-UA#5926 report informs online security guards of recently discovered malicious activities utilizing Remcos malware.
Threat actors use the phishing attack vector in these attacks to send emails using the Ukrtelecom JSC’s sender information. Attackers want to trick victims into opening emails that have the subject “Demand Letter” and a RAR archive attachment that pretends to be information on the required financial payment.
The personal access code is stored in a text file in the lure archive along with another password-protected RAR file. The latter contains an executable file that sets up the Remcos malware for remote administration on the victim’s PC.
The harmful behavior is connected to the UAC-0050 hacker group, which has been in the news since at least 2020, according to CERT-UA researchers. The research found that threat actors used RemoteUtilities, a different remote administration program, to launch their prior attacks.
The continuous attacks against Ukrainian state institutions are most likely connected to cyberespionage operations based on the reported adversary activity patterns and the offensive capabilities of the virus.
UAC-0050’s Detection Of Cyberattacks Against Ukrainian State Bodies Covered By CERT-UA#5926 Alert
Defenders are working to improve their capacity to quickly identify the infection in light of the steadily increasing volume of phishing cyberattacks. Organizations can keep one step ahead of attackers and proactively defend against cyberattacks of any size using a variety of malware strains thanks to SOC Prime.
The Remcos malware detection rules are curated by SOC Prime’s Detection as Code Platform for use in ongoing phishing attacks and linked to the UAC-0050 hacker group’s adversarial behavior. All detection algorithms are filtered by the associated custom tags (“UAC-0050” or “CERT-UA#5926”) based on the group and CERT-UA alert IDs for a more streamlined content search.
All detections are enhanced with comprehensive cyber threat context, including MITRE ATT&CK® references, CTI linkages, executable binaries, and operational metadata. They are all ready for deployment to the market-leading SIEM, EDR, BDP, and XDR solutions.
Conclusion
Threat actors who use phishing attack vectors regularly distribute the Remcos Trojan (Remote Control and Surveillance). Targeting Ukrainian government agencies, the malware is currently making a comeback in the cyber threat landscape. Cybersecurity experts detailed the mass email distribution spoofing the Ukrtelecom JSC in a new CERT-UA#5926 report published on February 6, 2023, with the goal of spreading Remcos malware on infected systems. Attackers used phishing emails that were sent to Ukrainian government agencies and contained a malicious RAR attachment. The investigation claims that the UAC-0050 hacker collective is responsible for the enemy’s activities.
