CERT-UA Warns on Remcos RAT

CERT-UA came up with a recent warning about a phishing attack targeting Ukrainian government agencies was carried out by hackers who tried to install Remcos monitoring software on the victims’ computers. 

This has been attributed to a group referred to as UAC-0050 by the agency. The CERT-UA considers the attack to have espionage motives based on the tools used in the attack.

The phishing attack begins with emails posing as Ukrainian telecom company Ukrtelecom and includes a decoy RAR archive. It contains two files: a large, password-protected RAR file and a text file containing a password to access the RAR file. The second RAR archive includes an executable that installs Remcos RAT, following which the attackers gain complete control over the infected systems.

Remcos is sold by breaking security as a lightweight, fast, and highly customizable with a wide array of functionalities.

The malware’s latest version (v4.2.0) came out in January, with new evasion techniques. This variant is deployed via an NSIS installer file.

This version leverages the Dynamic Imports technique to evade detection by static analysis tools. It performs process hollowing that uses direct syscalls in another detection evasion tactic.

Remcos is a very capable malware with sophisticated functionalities. The CERT-UA stated that since the attacks are targeting Ukrainian authorities, the campaign is a kind of cyberespionage.