A hacking group known as UAC-0050, with a history of targeting Ukraine, has launched a fresh spying campaign, focusing on government agencies and utilizing the Remcos surveillance tool. This sophisticated remote access software, originally marketed as a legitimate administrative tool, allows hackers to gain complete control over infected systems.
Furthermore, the attackers employed phishing letters disguised as official requests from Ukraine’s security service (SBU), urging victims to provide critical information under the guise of “national security.” The attached PDF files, purportedly containing requested information, instead installed Remcos on the compromised devices.
CERT-UA, Ukraine’s computer emergencies response team, identified the threat actor behind the campaign as UAC-0050, active since at least 2020 and targeting not only Ukraine but also the Baltic states and Russia. While the recent campaign’s goal wasn’t explicitly specified in CERT-UA’s report, the agency indicated it was likely an espionage effort. Notably, the researchers did not directly attribute the attacks to Russia, but they highlighted that the domain names used by the hackers were registered via the Russian company REG.RU.
Remcos, developed by Germany-based Breaking Security, is described as a “highly customizable” remote administration tool with both free and premium versions available. It not only provides remote access but also collects data from targeted devices, including computer information and user credentials. Remcos has the ability to bypass antivirus protection, run as a legitimate process on Windows, and gain admin privileges to disable user account control.
Typically embedded in a malicious ZIP file masquerading as a PDF, Remcos is a versatile tool for threat actors, capable of executing various attack vectors, as evidenced by its deployment in the recent UAC-0050 campaign.