Threat Group Using Rare Data Transfer Tactic in New RemcosRAT Campaign

UNC-0050 is targeting government agencies in Ukraine in what appears to be a politically motivated intelligence-gathering operation.

3 Min Read
Cyber war concept with hoodie-wearing hacker in shadow against Ukrainian flag
Source: ozrimoz via Shutterstock

A threat actor known for repeatedly targeting organizations in Ukraine with the RemcosRAT remote surveillance and control tool is back at it again, this time with a new tactic for transferring data without triggering endpoint detection and response systems.

The adversary, tracked as UNC-0050, is focused on Ukrainian government entities in its latest campaign. Researchers at Uptycs who spotted it said the attacks may be politically motivated, with the goal of collecting specific intelligence from Ukrainian government agencies. "While the possibility of state sponsorship remains speculative, the group's activities pose an undeniable risk, especially to government sectors reliant on Windows systems," Uptycs researchers Karthickkumar Kathiresan and Shilpesh Trivedi wrote in a report this week.

The RemcosRAT Threat

Threat actors have been using RemcosRAT — which started life as a legitimate remote administration tool — to control compromised systems since at least 2016. Among other things, the tool allows attackers to gather and exfiltrate system, user, and processor information. It can bypass many antivirus and endpoint threat detection tools and execute a variety of backdoor commands. In many instances threat actors have distributed the malware in attachments in phishing emails.

Uptycs has not been able to determine the initial attack vector in the latest campaign just yet but said it is leaning toward job-themed phishing and spam emails as most likely being the malware distribution method. The security vendor based its assessments on emails it reviewed that purported to offer targeted Ukrainian military personnel with consultancy roles at Israel's Defense Forces.

The infection chain itself begins with a .lnk file that gathers information about the compromised system and then retrieves an HTML app named 6.hta from an attacker-controlled remote server using a Windows native binary, Uptycs said. The retrieved app contains a PowerShell script that initiates steps to download two other payload files (word_update.exe and ofer.docx) from an attacker-controlled domain and — ultimately — to install RemcosRAT on the system.

A Somewhat Rare Tactic

What makes UNC-0050's new campaign different is the threat actor's use of a Windows interprocess communications feature called anonymous pipes to transfer data on compromised systems. As Microsoft describes it, an anonymous pipe is a one-way communications channel for transferring data between a parent and a child process. UNC-0050 is taking advantage of the feature to covertly channel data without triggering any EDR or antivirus alerts, Kathiresan and Trivedi said.

UNC-0050 is not the first threat actor to use pipes to exfiltrate stolen data, but the tactic remains relatively rare, the Uptycs researchers noted. "Although not entirely new, this technique marks a significant leap in the sophistication of the group's strategies," they said.

This is far from the first time that security researchers have spotted UAC-0050 attempting to distribute RemcosRAT to targets in Ukraine. On multiple occasions last year, Ukraine's Computer Emergency Response Team (CERT-UA) warned of campaigns by the threat actor to distribute the remote access Trojan to organizations in the country.

The most recent was an advisory on Dec. 21, 2023, about a mass phishing campaign involving emails with an attachment that purported be a contract involving Kyivstar, one of Ukraine's largest telecommunications providers. Earlier in December, CERT-UA warned of another RemcosRAT mass distribution campaign, this one involving emails purporting to be about "judicial claims" and "debts" targeting organizations and individuals in Ukraine and Poland. The emails contained an attachment in the form of an archive file or RAR file.

CERT-UA issued similar alerts on three other occasions last year, one in November with court subpoena-themed emails serving as the initial delivery vehicle; another, also in November, with emails allegedly from Ukraine's security service; and the first in February 2023 about a mass email campaign with attachments that appeared to be associated with a district court in Kyiv.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights