Remcos RAT and Meduza Stealer Detection: UAC-0050 Group Launches a Massive Phishing Attack Against State Bodies in Ukraine and Poland

[post-views]
December 08, 2023 · 3 min read
Remcos RAT and Meduza Stealer Detection: UAC-0050 Group Launches a Massive Phishing Attack Against State Bodies in Ukraine and Poland

Less than a week after a phishing campaign by UAC-0050 spreading Remcos RAT, the group attempted to launch another offensive operation. In the newly uncovered massive email distribution campaign, UAC-0050 hackers target the Ukrainian and Polish public sectors, leveraging the nefarious Remcos RAT and another malware strain dubbed Meduza Stealer.

UAC-0050 Attack Description: Activity Covered in the CERT-UA#8218 Alert

On November 7, 2023, CERT-UA published a new heads-up covering the massive phishing attack by the UAC-0050 hacking collective spreading emails with the lure subjects related to court demands and debts along with a password-protected RAR attachment. By opening this weaponized archive, the targeted machines are prone to Remcos RAT and Meduza Stealer infections. In addition, hackers leveraged AutoIt/Injector malware. UAC-0050 normally hosts its control servers for Remcos RAT using the services of the Malaysian provider, Shinjiru.

Notably, hackers leveraged legitimate compromised accounts for the email campaign including those within the gov.ua domain. The uncovered emails also indicate the Polish government institutions as attack targets in addition to the Ukrainian public sector. 

As potential mitigation measures, CERT-UA recommends filtering email attachments, including password-protected archives and documents, at the mail gateway level to prevent intrusions. 

Detect UAC-0050 Intrusions Spreading Remcos RAT and Meduza Stealer

Recent UAC-0050 phishing campaigns indicate the group’s ambitions to expand the scope of attacks. The latest massive cyber attack covered in the CERT-UA#8218 alert identifies both Ukraine and Poland as potential victims of intrusions. SOC Prime Platform strives to help organizations in multiple industries, including the public sector, to preempt attacks of any scope and sophistication before they strike. 

Rely on the curated list of detection algorithms filtered by the tag “CERT-UA#8218” to safeguard your organization’s infrastructure against UAC-0050 activity distributing Remcos RAT and Meduza Stealer malware. Here’s the link to all relevant rules and queries mapped to MITRE ATT&CK® for faster attack attribution and convertible to multiple cybersecurity languages:

Sigma rules to detect UAC-0050 attacks covered in the CERT-UA#8218 alert

Click Explore Detections to reach even more detection algorithms for proactive defense against existing and emerging attacks attributed to UAC-0050. The entire rule set is enriched with relevant metadata offering in-depth insights and cyber threat context for CTI researchers and SOC analysts. 

Explore Detections

With Uncoder IO, the open-source IDE for Detection Engineering, defenders can make the most of IOC packaging using the forensic data from the latest CERT-UA research to instantly generate custom search queries ready to run in the selected environment. 

Use Uncoder IO to parse IOCs from the CERT-UA#8218 alert into custom queries ready to hunt for UAC-0050 malicious activity.

MITRE ATT&CK Context

To delve into the insightful context behind the massive phishing attack of UAC-0050 covered in the latest CERT-UA#8218 alert, all above-referenced Sigma rules are tagged with ATT&CK addressing the relevant tactics, techniques, and sub-techniques: 

Tactics 

Techniques

Sigma Rule

Initial Access

Phishing: Spearphishing Attachment

(T1566.001)

Execution

Exploitation for Client Execution (T1203)

Command and Scripting Interpreter (T1059)

Command and Scripting Interpreter: Visual Basic (T1059.005)

Command and Scripting Interpreter: JavaScript (T1059.007)

Persistence

Boot or Logon Autostart Execution (T1547)

Defense Evasion 

System Script Proxy Execution (T1216)

Masquerading: Double File Extension (T1036.007)

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts