UAC-0184 Targets Ukrainian Entity in Finland With Remcos RAT

UAC-0184 Targets Ukrainian Entity in Finland With Remcos RAT

The threat actor tracked as UAC-0184 has been using steganography techniques to deliver the Remcos remote access Trojan (RAT) via a relatively new malware known as the IDAT Loader, to a Ukrainian target based in Finland.
被追踪为 UAC-0184 的威胁行为者一直在使用隐写术技术,通过名为 IDAT Loader 的相对较新的恶意软件向位于芬兰的乌克兰目标传送 Remcos 远程访问木马 (RAT)。

Although the adversary initially targeted entities in Ukraine, defenses thwarted the delivery of the payload. That led to a subsequent search for alternate targets, according to an analysis out today from Morphisec Threat Labs.
尽管对手最初针对的是乌克兰境内的实体,但防御措施阻碍了有效载荷的交付。根据 Morphisec 威胁实验室今天的分析,这导致了随后对替代目标的搜索。

While Morphisec didn’t disclose campaign details due to customer confidentiality, researchers pointed Dark Reading to parallel campaigns allegedly by UAC-0148 that used email and spear-phishing as the initial access vector, with lures that dangled job offers targeting Ukrainian military personnel for consultancy roles with the Israel Defense Forces (IDF).
虽然 Morphisec 因客户机密而没有透露活动细节,但研究人员指出 Dark Reading 据称与 UAC-0148 进行的并行活动有关,该活动使用电子邮件和鱼叉式网络钓鱼作为初始访问媒介,并以乌克兰军事人员为目标,以提供咨询为诱饵。以色列国防军 (IDF) 的角色。

The goal was cyber espionage: The Remcos (short for “Remote Control and Surveillance”) RAT is used by cybercriminals to gain unauthorized access to a victim’s computer, remotely control infected systems, steal sensitive information, execute commands, and more.
其目标是网络间谍活动:网络犯罪分子使用 Remcos(“远程控制和监视”的缩写)RAT 来未经授权访问受害者的计算机、远程控制受感染的系统、窃取敏感信息、执行命令等。

IDAT Loader: A New Remcos RAT Infection Routine
IDAT Loader:新的 Remcos RAT 感染例程

This specific campaign, first discovered in January, leverages a nested infection approach, starting with piece of code with the novel user-agent tag “racon,” which fetches the second-stage payload and performs connectivity checks and campaign analytics.
这一特定活动于 1 月份首次发现,利用嵌套感染方法,从带有新颖用户代理标签“racon”的代码开始,该代码获取第二阶段有效负载并执行连接检查和活动分析。

Morphisec identified that payload as the IDAT Loader, aka HijackLoader, which is an advanced loader that has been observed to work with multiple malware families, the researchers explain. It was first observed in late 2023.
研究人员解释说,Morphisec 将该有效负载识别为 IDAT Loader,又名 HijackLoader,这是一种高级加载程序,已被观察到与多个恶意软件家族一起工作。它于 2023 年末首次被观察到。

IDAT refers to the “image data” chunk within a Portable Network Graphics (PNG) image file format. True to its name, the loader locates and extracts the Remcos RAT code, which is smuggled onto a victim machine within the IDAT block of an embedded steganographic .PNG image.
IDAT 是指便携式网络图形 (PNG) 图像文件格式中的“图像数据”块。顾名思义,加载程序会定位并提取 Remcos RAT 代码,该代码被走私到嵌入隐写 .PNG 图像的 IDAT 块内的受害计算机上。

Steganography actors hide malicious payloads within seemingly innocuous image files to evade detection by security measures. Even if the image file undergoes scanning, the fact that the malicious payload is encoded makes it undetectable, enabling the malware loader to drop the image, extract the hidden payload, and execute it in memory.
隐写术攻击者将恶意负载隐藏在看似无害的图像文件中,以逃避安全措施的检测。即使图像文件经过扫描,恶意有效负载经过编码的事实也使其无法检测到,从而使恶意软件加载程序能够删除图像、提取隐藏的有效负载并在内存中执行它。

“The user is not intended to see the PNG image,” the researchers explain. “The image used in this specific attack was visually distorted. The initial download was an executable named DockerSystem_Gzv3.exe, delivered as a fake software installation package.  Activation of the executable led to the subsequent attack stages.”
研究人员解释说:“用户无意看到 PNG 图像。” “这次特定攻击中使用的图像在视觉上是扭曲的。最初下载的是一个名为 DockerSystem_Gzv3.exe 的可执行文件,以虚假软件安装包的形式提供。可执行文件的激活导致了后续的攻击阶段。”

RAT Malware Nests Proliferate
RAT 恶意软件巢穴激增

Remcos RAT is being increasingly deployed using creative techniques. Earlier this year, for instance, researchers discovered a threat actor tracked as UNC-0050, known for repeatedly targeting organizations in Ukraine with Remcos RAT, targeting the country’s government in a novel attack using a rare data transfer tactic.
Remcos RAT 越来越多地使用创造性技术进行部署。例如,今年早些时候,研究人员发现了一个被追踪为 UNC-0050 的威胁行为者,该行为者因多次使用 Remcos RAT 攻击乌克兰的组织而闻名,并使用罕见的数据传输策略针对该国政府发起了一次新颖的攻击。

Meanwhile, a rise in affordable malware “meal kits” priced under $100 is driving an increase in campaigns utilizing RATs in general, which are frequently concealed within seemingly legitimate Excel and PowerPoint files attached to emails.
与此同时,价格低于 100 美元的廉价恶意软件“套餐”的增加正在推动利用 RAT 的活动增加,这些 RAT 经常隐藏在电子邮件附加的看似合法的 Excel 和 PowerPoint 文件中。

Remcos RAT spyware has also been discovered in the past year targeting organizations in Eastern Europe by leveraging an old Windows UAC bypass technique, as well as in a campaign last March and April targeting accountants ahead of the deadline for filing taxes in the United States.
去年,Remcos RAT 间谍软件还被发现利用旧的 Windows UAC 绕过技术来针对东欧的组织,去年 3 月和 4 月在美国报税截止日期之前针对会计师的活动中也发现了 Remcos RAT 间谍软件。

“As observed in the latest attack, threat actors are increasingly using defense evasion techniques to bypass detection by signature and behavioral-based endpoint protection solutions,” the Morphisec researchers tell Dark Reading. “In this case we observed a combined usage of steganography and memory injection as evasive techniques.”
Morphisec 研究人员告诉 Dark Reading:“正如在最新攻击中观察到的那样,威胁行为者越来越多地使用防御规避技术来绕过签名检测和基于行为的端点保护解决方案。” “在这种情况下,我们观察到隐写术和内存注入作为规避技术的结合使用。”

They add, “therefore, security leaders should consider these changes in the threat landscape and consider adoption solutions that can enhance their defense in depth by reducing exposure to such potential attacks.”
他们补充说,“因此,安全领导者应该考虑威胁形势的这些变化,并考虑采用可以通过减少此类潜在攻击的暴露来增强深度防御的解决方案。”

Tara Seals contributed to this report.
塔拉·海尔斯为本报告做出了贡献。

原文始发于Nathan Eddy, Contributing Writer:UAC-0184 Targets Ukrainian Entity in Finland With Remcos RAT

版权声明:admin 发表于 2024年2月29日 上午9:55。
转载请注明:UAC-0184 Targets Ukrainian Entity in Finland With Remcos RAT | CTF导航

相关文章