The threat actor tracked as UAC-0184 was using steganography techniques to deliver the Remcos Remote Access Trojan (RAT) via relatively new malware known as IDAT Loader, to a Ukrainian target based in Finland.
Although the adversary initially targeted entities in Ukraine, defenses prevented the payload from being delivered. This led to a subsequent search for alternative targets, according to an analysis published today by Morphisec Threat Labs.
Although Morphisec did not reveal details of the campaign for customer privacy reasons, researchers reported Dark Reading parallel campaigns presumably from UAC-0148 using email and spear-phishing as an initial entry vector, with decoys issuing job offers targeting Ukrainian military personnel for advisory roles with the Israel Defense Forces (IDF).
The goal was cyber espionage: the Remcos RAT (short for “Remote Control and Surveillance”) is used by cybercriminals to gain unauthorized access to a victim’s computer, remotely control infected systems, steal sensitive information, execute commands and more.
IDAT Loader: A new Remcos RAT infection routine
This specific campaignfirst discovered in January, it takes advantage of a nested infection approach, starting with a piece of code with the new “racon” user-agent tag, which retrieves the second-stage payload and performs connectivity checks and campaign analysis.
Morphisec identified that payload as IDAT Loader, aka HijackLoader, which is an advanced loader that has been observed working with multiple malware families, the researchers explain. It was first observed in late 2023.
IDAT refers to the block of “image data” within a Portable Network Graphics (PNG) image file format. True to its name, the loader locates and extracts Remcos’ RAT code, which is sneakily introduced onto the victim’s computer within the IDAT block of an embedded .PNG steganographic image.
Steganography authors hide malicious payloads inside seemingly harmless image files to evade detection by security measures. Even if the image file is scanned, the fact that the malicious payload is encoded makes it undetectable, allowing the malware loader to delete the image, extract the hidden payload, and execute it in memory.
“The user is not intended to see the PNG image,” the researchers explain. “The image used in this specific attack was visually distorted. The initial download was an executable named DockerSystem_Gzv3.exe, delivered as a fake software installation package. Activation of the executable led to the next stages of the attack.”
RAT malware nests proliferate
Remcos RAT is increasingly being used using creative techniques. Earlier this year, for example, the researchers found a threat actor identified as UNC-0050, known for repeatedly targeting organizations in Ukraine with Remcos RAT, targeting the country’s government in a new attack using a rare data transfer tactic.
Meanwhile, an increase Affordable malware “meal kits”. priced under $100 is driving an increase in campaigns using RATs in general, which are often hidden within seemingly legitimate Excel and PowerPoint files attached to emails.
Remcos RAT spyware was also discovered against Eastern European organizations last year using an old Windows UAC bypass techniqueas well as in a campaign last March and April targeting accountants before the US tax filing deadline.
“As observed in the latest attack, threat actors are increasingly using defense evasion techniques to bypass detection via signature- and behavior-based endpoint protection solutions,” Morphisec researchers tell Dark Reading. “In this case we observed a combined use of steganography and memory injection as evasion techniques.”
They add: “therefore, security leaders should consider these changes in the threat landscape and consider adopting solutions that can improve their defense in depth by reducing exposure to such potential attacks.”
Tara Seals contributed to this report.