Ukrainian entities based in Finland have been targeted as part of a malicious campaign distributing a commercial remote access trojan known as Remcos RAT using a malware loader called IDAT Loader.
The attack was attributed to a threat actor tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) under the moniker UAC-0184.
“The attack, as part of the IDAT Loader, used steganography as a technique,” Morphisec researcher Michael Dereviashkin said in a report shared with The Hacker News. “Although steganographic, or ‘Stego,’ techniques are well known, it is important to understand their role in defense evasion to better understand how to defend against such tactics.”
IDAT Loader, which overlaps with another loader family called Hijack Loader, has been used to serve additional payloads such as DanaBot, SystemBC, and RedLine Stealer in recent months. It was also used by a hacker identified as TA544 to distribute Remcos RAT and SystemBC via phishing attacks.
The phishing campaign, first disclosed by CERT-UA in early January 2024, involves the use of war-themed bait as a starting point to start an infection chain leading to the implementation of IDAT Loader, which, in turn, uses a PNG embedded steganographic system to locate and extract Remcos RAT.
The development comes as CERT-UA revealed that the country’s defense forces were targeted via instant messaging app Signal to distribute a booby-trapped Microsoft Excel document running COOKBOX, a PowerShell-based malware capable of load and run cmdlets. CERT-UA attributed the activity to a cluster called UAC-0149.
This also follows the resumption of malware campaigns propagating the PikaBot malware starting February 8, 2024, using an updated variant that appears to be currently in active development.
“This version of the PikaBot loader uses a new unpacking method and strong obfuscation,” Elastic Security Labs said. “The core module added a new implementation for string decryption, changes to obfuscation functionality, and various other changes.”