Ukrainian entities based in Finland have become targets of a sophisticated cyber campaign employing the Remcos RAT via the IDAT Loader, according to findings by the Computer Emergency Response Team of Ukraine (CERT-UA). This attack, attributed to a threat actor tracked as UAC-0184, utilizes steganography within the IDAT Loader, obscuring its malicious payloads to evade detection. The IDAT Loader, associated with another loader family named Hijack Loader, has been employed to distribute various payloads including DanaBot, SystemBC, and RedLine Stealer, highlighting the versatility of the attack vector.
The modus operandi of the attackers involves employing war-themed phishing lures to initiate an infection chain leading to the deployment of the IDAT Loader. Once executed, the IDAT Loader employs an embedded steganographic PNG file to locate and extract the Remcos RAT, amplifying the complexity of defense strategies against such threats. Furthermore, CERT-UA has unveiled that Ukrainian defense forces have been targeted through the Signal messaging app, utilizing a booby-trapped Microsoft Excel document to execute COOKBOX, a PowerShell-based malware attributed to the cluster UAC-0149.
The emergence of these cyber threats coincides with a resurgence of malware campaigns disseminating PikaBot malware, featuring an updated variant incorporating new unpacking methods and heavy obfuscation. Elastic Security Labs highlights the sophistication of this version, indicating ongoing development efforts by threat actors to enhance their malware capabilities. These revelations underscore the persistent and evolving nature of cyber threats, necessitating heightened vigilance and robust cybersecurity measures to safeguard critical infrastructure and organizations against malicious intrusions.
