A recent warning by CERT-UA stated that a phishing attack targeting Ukrainian government agencies was carried out by hackers who tried to install Remcos monitoring software on the victims' computers.
The widespread phishing campaign has been attributed to a group referred to as UAC-0050 by the agency. The CERT-UA considers the attack to have espionage motives, based on the tools used in the attack.
Diving into details
The phishing attack begins with emails posing as Ukrainian telecom company Ukrtelecom and include a decoy RAR archive.
RAR archive contains two files: a large, password-protected RAR file (over 600MB) and a text file containing a password to access the RAR file.
The second RAR archive includes an executable that installs Remcos RAT, following which the attackers gain complete control over the infected systems.
A bit on Remcos RAT
Remcos is sold by Breaking Security as “a lightweight, fast, and highly customizable with a wide array of functionalities.”
It comes in both free and premium versions, with the latter being sold for $62.
The malware’s latest version (v4.2.0) came out in January, with new evasion techniques. This variant is deployed via an NSIS installer file.
This latest Remcos version leverages the Dynamic Imports technique to evade detection by static analysis tools.
It, furthermore, performs process hollowing that uses direct syscalls in another detection evasion tactic.
The bottom line
Remcos, short for remote control and surveillance software, is a very capable malware with sophisticated functionalities. The CERT-UA stated that since the attacks are targeting Ukrainian authorities, the campaign is cyberespionage.