February 26, 2024 at 05:57PM
The hacking group UAC-0184 utilized steganographic images to deploy the Remcos remote access trojan onto a Ukrainian entity in Finland. The group expanded to target organizations outside Ukraine. The attack involves phishing emails, a modular loader, and executing malware disguised in a PNG image. Details are available in the CERT-UA report.
Based on the meeting notes, the key takeaways are:
– The threat group UAC-0184 has been observed using steganographic image files to deliver the Remcos remote access trojan onto the systems of a Ukrainian entity operating in Finland.
– UAC-0184 expanded their targeting to organizations outside of Ukraine that are affiliated with their strategic target.
– Morphisec detected the group’s latest activity starting in early January 2024, where they utilized phishing emails with a carefully crafted shortcut file attachment to trigger an infection chain that ultimately delivered the Remcos RAT.
– The attack chain involves the use of a modular malware loader named ‘IDAT,’ which employs sophisticated techniques to evade detection, including the use of encoded payload in a malicious PNG image file.
– Apart from Remcos RAT, IDAT also delivers malware like Danabot, SystemBC, and RedLine Stealer.
– Full indicators of compromise (IoC) for this campaign can be found in a report by CERT-UA.
These key points summarize the UAC-0184 attack campaign and the methods used by the threat group to deliver malware through steganographic techniques and phishing emails.