New Phishing Campaign by UAC-0050: Kyivstar & Security Service of Ukraine Baits to Deliver Remcos RAT
Table of contents:
Cybersecurity analysts are observing a substantial increase in malicious activities targeting Ukraine’s public and private sectors, where attackers often resort to phishing vectors as their primary strategy for initiating intrusions.
CERT-UA notifies cyber defenders of ongoing attacks against Ukrainian organizations leveraging Kyivstar and the Security Service of Ukraine phishing lures. The infamous UAC-0050 group aims to infect targeted victims with Remcos RAT, a common malicious strain from the group’s adversary toolkit.
UAC-0050 Attack Analysis: New Phishing Campaign Using Remcos RAT
In the first decade of December 2023, the UAC-0050 group came back to the cyber threat arena massively targeting Ukrainian and Polish government agencies and leveraging two malicious strains, Remcos RAT and Meduza Stealer. Notably, in November and early December 2023, UAC-0050 hackers launched at least two offensive operations against Ukraine spreading Remcos RAT, one of them using phishing lures impersonating the Security Service of Ukraine. Hard on the heels of those phishing campaigns, UAC-0050 resurfaces to continue its attacks through the same attack vector.
On December 21, 2023, CERT-UA issued a new heads-up uncovering two email distribution campaigns using the lure topics related to the outstanding balance of Kyivstar users and another one disguised as the Security Service of Ukraine. Attackers send phishing emails with the corresponding Kyivstar-related topic along with a lure ZIP attachment.
The archive contains a password-protected RAR file with a DOC file and a harmful macro. The macro activation using explorer.exe through the SMB protocol will lead to the download and launching of the executable file on the impacted system. Subsequently, the latter is a self-extracting (SFX) archive that contains a BATCH script for downloading from the Bitbucket service and launching another executable file “wsuscr.exe” obfuscated via SmartAssembly .NET. The latter is intended to decrypt and execute Remcos RAT.
CERT-UA has also observed phishing emails with the subject lure impersonating the Security Service of Ukraine along with a malicious attachment. The latter contains a password-protected ZIP file that contains a RAR archive split into 3 parts, with the final one containing an executable file. Opening this archive and running the executable file can potentially lead to the Remcos RAT infection.
In this campaign, UAC-0050 hosts its control servers for Remcos RAT, taking advantage of the Malaysian provider services, as it commonly does. In addition, adversaries use the autonomous system AS44477 (STARK INDUSTRIES SOLUTIONS LTD) for their hosting needs.
Detect UAC-0050 Phishing Attacks Covered in the CERT-UA#8338 Alert
A rapid surge in phishing attacks against Ukraine and its allies attributed to the UAC-0050 hacking collective poses a significant threat to organizations that might be potential targets. A wave of the latest group’s attacks points to similar behavior patterns linked to the use of Remcos RAT within the infection chain. SOC Prime curates a collection of detection algorithms to help defenders identify the UAC-0050 adversary activity and any traces of Remcos RAT infection in their environment. Follow the link below to reach Sigma rules for attack detection covered in the relevant CERT-UA#8338 research:
Sigma rules to detect attacks uncovered by CERT-UA in the related CERT-UA#8338 alert
Security engineers can also access the entire detection stack filtered by the “UAC-0050” custom tag by clicking the Explore Detections button. This collection of detection algorithms is designed to help defenders enhance their threat detection and hunting capabilities and timely remediate the threats linked to the UAC-0050 offensive activity. All Sigma rules are aligned with MITRE ATT&CK®, can be converted to dozens of cybersecurity languages in an automated fashion, and are enriched with tailored CTI.
Security professionals can also rely on the open-source Uncoder IO to perform retrospective IOC matching at scale. Select IOCs from the Uncoder IO left panel, paste threat intel from the related CERT-UA alert, apply the platform and the target language, like OSCF, and instantly package the data into custom IOC queries ready to hunt for critical threats in the chosen environment.
MITRE ATT&CK Context
Leveraging MITRE ATT&CK gains detailed insight into the context of the most recent offensive campaign associated with UAC-0050. Refer to the table below to view the comprehensive set of dedicated Sigma rules addressing the corresponding ATT&CK tactics, techniques, and sub-techniques.
Tactics | Techniques | Sigma Rule |
Initial Access | Phishing: Spearphishing Attachment | |
Execution | Exploitation for Client Execution (T1203) | |
Command and Scripting Interpreter (T1059) | ||
Command and Scripting Interpreter: PowerShell (T1059.001) | ||
Command and Scripting Interpreter: Visual Basic (T1059.005) | ||
Command and Scripting Interpreter: Windows Command Shell (T1059.003) | ||
Command and Scripting Interpreter: JavaScript (T1059.007) | ||
Scheduled Task / Job (T1053) | ||
User Execution: Malicious File (T1204.002) | ||
Defense Evasion | Indicator Removal (T1070) | |
Indicator Removal: File Deletion (T1070.004) | ||
Masquerading (T1036) | ||
System Script Proxy Execution (T1216) | ||
System Binary Proxy Execution (T1218) | ||
Obfuscated Files or Information (T1027) | ||
Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) | ||
Modify Registry (T1112) | ||
Lateral Movement | Remote Services: SMB / Windows Admin Shares (T1021.002) | |
Command and Control | Ingress Tool Transfer (T1105) |