Ukrainian, Polish Authorities Latest Phishing Wave TargetsHackers Deploy Remcos RAT and Meduza Stealer Likely for Espionage
A threat actor with a history of sending Trojan-laced phishing emails targeted Ukrainian and Polish authorities with emails with the subject lines "judicial claims" and "debts," Ukrainian cyber defenders said Thursday.
The Computer Emergency Response Team of Ukraine attributed the phishing wave to a threat actor it tracks as UAC-0050. The same hacking group only weeks ago distributed malicious emails mails with the subject "Subpoenas to Court." Cyber defenders in February spotted it sending mass emails allegedly on behalf of the Pechersk District Court of the city of Kyiv. The group has been active since 2020, according to CERT-UA.
In addition to the threat actor, all those campaigns have something in common: Opening the email attachment will likely result in a download of the RemcosRAT, although this latest campaign also contained the MeduzaStealer.
As was the case in this phishing wave, hackers in the previous attack used legitimate compromised accounts of one of the judicial authorities in Ukraine to transmit the phishing emails.
The hackers have also made an effort to stay under the radar by using a program obfuscator called SmartAssembly, which deceives antivirus programs and runs the Remcos RAT payload, CERT-UA said.
Remcos, a short name for Remote Control and Surveillance, is marketed as a legitimate software by Germany-based firm BreakingSecurity for remotely managing Windows systems, but is now widely used in multiple malicious campaigns by threat actors. It can be used to fully control and monitor any Windows computer from XP operating system onward. It can also bypass antivirus protection by running as a legitimate process on Windows and gain admin privileges to disable user account control.
Remcos RAT was one of the top malware strains of 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency. "Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations," CISA said.
This is the third time in the space of a month that the Ukrainian cyber defenders observed a phishing campaign from UAC-0050. In November, it targeted the Ukrainian government agencies with the same Remcos surveillance tool using phishing mails disguised as official requests from the Security Service of Ukraine.