February 26, 2024 at 03:08PM
UAC-0184 utilizes steganography to distribute the Remcos RAT via the IDAT Loader. The campaign initially targeted Ukrainian entities but shifted focus after encountering defenses. The goal was cyber espionage, with the RAT granting unauthorized system access, data theft, and remote control. This represents a trend of advanced defense evasion techniques in the threat landscape.
Key takeaways from the meeting notes:
1. The threat actor UAC-0184 has been using steganography to deliver the Remcos remote access Trojan (RAT) via a new malware known as the IDAT Loader to a Ukrainian target based in Finland.
2. Morphisec Threat Labs’ analysis revealed a hunt for alternative targets after initial defense thwarted payload delivery in Ukraine. Parallel campaigns by UAC-0148 allegedly used email and spear-phishing to target Ukrainian military personnel with job offers targeting the Israel Defense Forces.
3. The specific campaign discovered in January utilizes the IDAT Loader, which hides the Remcos RAT code within the IDAT chunk of an embedded steganographic .PNG image. This enables the loader to drop the image, extract the hidden payload, and execute it in memory.
4. The Remcos RAT has been increasingly deployed using creative techniques and has been found targeting organizations in Ukraine, Eastern Europe, and the United States.
5. Threat actors are using defense evasion techniques such as steganography and memory injection to bypass detection by security solutions, prompting security leaders to consider enhanced defense mechanisms.
Let me know if you need any more information or if there’s anything else I can assist you with.