UAC-0184, a threat actor utilizing steganography techniques, has been identified as the perpetrator behind the distribution of the Remcos remote access Trojan (RAT) via a new malware variant called the IDAT Loader to a target in Finland with Ukrainian origins.
Initially focusing on targets within Ukraine, the plan was foiled by existing defenses, prompting UAC-0184 to shift its sights to other potential victims, as disclosed in a recent analysis from Morphisec Threat Labs. While specific details of the campaign were not disclosed due to confidentiality reasons, it was hinted that parallel campaigns allegedly orchestrated by UAC-0148 involved tactics such as email and spear-phishing to lure Ukrainian military personnel with promises of consultancy positions within the Israel Defense Forces (IDF).
The intention behind these attacks was clear: cyber espionage. The Remcos RAT allows cybercriminals unauthorized access to compromised systems, enabling them to remotely control machines, extract sensitive data, execute commands, and more.
The IDAT Loader, part of the newly discovered infection routine associated with Remcos RAT, employs a layered approach to infiltrate systems. By utilizing a code snippet distinguished by the unique user-agent identifier “racon,” the loader fetches a secondary payload, conducts connectivity assessments, and collects campaign analytics. Morphisec researchers have pinpointed this payload as the IDAT Loader, also known as HijackLoader, a sophisticated loading tool commonly used in conjunction with various malware strains since late 2023.
The term “IDAT” in IDAT Loader refers to the “image data” component within a PNG file format. As the loader’s name implies, it locates and extracts the Remcos RAT code nestled within the IDAT block of a steganographic PNG image, rendering it obscured from traditional security checks. This technique of hiding malicious payloads within innocent-looking image files enables cyber actors to circumvent detection methods, thereby deploying the malware discreetly and executing it directly in computer memory without alerting the user.
It is worth noting that the actual PNG image containing the hidden payload is visually distorted to prevent suspicion. The initial point of entry for victims in this specific attack was an executable file named DockerSystem_Gzv3.exe, masquerading as a fake software installation package. Activation of this file triggered subsequent stages of the attack.
The proliferation of RAT malware, such as the Remcos RAT, has seen a surge in creative deployment tactics. For example, a recent discovery involving a threat group designated as UNC-0050, known for targeting Ukrainian organizations with the Remcos RAT, showcased an innovative approach utilizing an uncommon data transfer method to infiltrate the country’s government systems.
Furthermore, the rise of affordable malware “meal kits” priced under $100 has led to a rise in RAT-centric campaigns. These campaigns often conceal RATs within seemingly innocuous Excel and PowerPoint files attached to phishing emails, increasing the likelihood of successful infections.
Past instances of the Remcos RAT being used in cyber espionage campaigns targeting entities in Eastern Europe through the exploitation of outdated Windows UAC bypass techniques highlight the adaptability of this malware strain. Notable campaigns focused on compromising accountants during the U.S. tax filing season illustrate the versatility and persistent threat posed by Remcos RAT.
Given the evolving landscape of cyber threats, Morphisec researchers emphasize the importance of adopting comprehensive defense mechanisms to counteract the growing sophistication of threat actors. Heightened awareness of evasion tactics, like steganography and memory injection, underscores the need for enhanced defense strategies to minimize exposure to potential attacks.
In conclusion, as cyber adversaries continue to evolve their tactics and tools, organizations must remain vigilant and proactive in safeguarding their digital assets against threats like the Remcos RAT. Collaboration between security experts, industry stakeholders, and law enforcement agencies is essential to combatting malicious actors and preserving the integrity of digital ecosystems.
Tara Seals contributed to this report.