January 4, 2024 at 08:37PM
Threat actor UNC-0050, known for targeting Ukrainian organizations with RemcosRAT, is back with a new tactic using anonymous pipes to transfer data covertly. The group’s latest campaign aims at Ukrainian government entities, posing a significant risk to Windows-reliant sectors. Uptycs researchers highlighted the group’s politically motivated activities and state the tactic as a notable leap in sophistication.
From the meeting notes, it is clear that the threat actor known as UNC-0050 has re-emerged with a new tactic for transferring data without triggering endpoint detection and response systems. The focus of this latest campaign is on Ukrainian government entities, with the goal of collecting specific intelligence. This activity poses a significant risk to government sectors reliant on Windows systems.
The threat actor is utilizing the RemcosRAT tool, which allows them to gather and exfiltrate system, user, and processor information. The malware has been distributed in attachments in phishing emails, with the initial attack vector in the latest campaign likely being job-themed phishing and spam emails.
A noteworthy aspect of UNC-0050’s new campaign is their use of a Windows interprocess communications feature called anonymous pipes to transfer data on compromised systems. This tactic allows them to covertly channel data without triggering EDR or antivirus alerts. While using anonymous pipes to exfiltrate stolen data is not entirely new, it represents a significant leap in the sophistication of the threat actor’s strategies.
This is not the first time that UNC-0050 has targeted organizations in Ukraine with RemcosRAT, as there have been numerous campaigns in the past. It is essential for organizations, especially those in the government sector in Ukraine, to be vigilant and take necessary precautions to protect against such attacks.