New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT

New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT

February 26, 2024 at 10:45AM

Ukrainian entities based in Finland are targeted in a malicious campaign distributing the Remcos RAT using the IDAT Loader. The attack utilizes steganography and has been attributed to the threat actor UAC-0184. Other loaders like Hijack Loader have been used to distribute additional payloads. CERT-UA disclosed a phishing campaign involving war-themed lures, and defense forces in Ukraine have been targeted via the Signal app. Malware campaigns propagating PikaBot have also resurged with an updated variant.

Key takeaways from the meeting notes on the topic of steganography and malware hosted by The Hacker News on Feb 26, 2024 include:

– Ukrainian entities in Finland have been targeted in a malicious campaign distributing the Remcos RAT using the IDAT Loader.
– The attack leveraged steganography, a technique rarely seen in the wild.
– IDAT Loader has been used to deliver additional payloads such as DanaBot, SystemBC, RedLine Stealer, Remcos RAT, and SystemBC via phishing attacks.
– The phishing campaign, disclosed by CERT-UA, uses war-themed lures to initiate an infection chain leading to the deployment of IDAT Loader and extracting Remcos RAT.
– Defense forces in Ukraine have been targeted via the Signal instant messaging app to distribute a booby-trapped Microsoft Excel document that executes COOKBOX, attributed to the cluster UAC-0149.
– A resurgence of malware campaigns propagating PikaBot malware using an updated variant since February 8, 2024, employing new unpacking methods and heavy obfuscation.

For more exclusive content, it was recommended to follow The Hacker News on Twitter and LinkedIn.

Full Article