Authors: Karthickkumar Kathiresan, Shilpesh Trivedi
Known for its history of relentless cyber-attacks against Ukrainian targets, the UAC-0050 threat group is at it again. But this time, Uptycs researchers have discovered an advanced strategy that allows for a more clandestine data transfer channel, effectively circumventing detection mechanisms employed by Endpoint Detection and Response (EDR) and antivirus systems.
The group’s weapon of choice is RemcosRAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal. However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability.
Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems. Although not entirely new, this technique marks a significant leap in the sophistication of the group's strategies.
Targeting the Ukrainian government, the UAC-0050's campaign hints at a politically motivated agenda with potential geopolitical implications. The employment of RemcosRAT and the innovative use of pipe methods for data movement spotlight the group's focus on stealth and intelligence gathering. While the possibility of state sponsorship remains speculative, the group's activities pose an undeniable risk, especially to government sectors reliant on Windows systems.
This blog outlines the technicalities of the attack, providing expert analysis from our researchers at Uptycs. From understanding the nature of pipes in Windows for interprocess communication to analyzing the real-world impact of these advanced evasion techniques, we offer a comprehensive look into this sophisticated cyber-espionage operation.
Our Threat Research Team initiated an investigation after the Uptycs platform alerted to a suspicious .lnk file on December 21, 2023. Analysis revealed UAC-0050's deployment of RemcosRAT in a targeted cyber intelligence operation against Ukrainian government agencies.
The initial attack vector is yet to be pinpointed, though indications lean towards phishing or spam emails, masked as job propositions, targeting Ukrainian military personnel for consultancy roles with the Israel Defense Forces (IDF).
This deceptive tactic, as detailed in the document (Figure 1), involved roles centered around training IDF soldiers in modern warfare techniques, reflecting a complex ruse to infiltrate military networks.
Figure 1–RemcosRAT Military theme
Corroborating these findings, the Ukrainian government, in early December 2023, officially acknowledged a similar attack pattern. As reported on their official website, this incident aligns with the modus operandi of UAC-0050, further solidifying the group's persistent and calculated application of RemcosRAT in their cyber-espionage endeavors.
The LNK file is responsible for initiating the download of an HTA file. Within this HTA file lies a VBS script that, upon execution, triggers a PowerShell script. This PowerShell script endeavors to download a malicious payload (word_update.exe) from a server. Upon launching, word_update.exe executes cmd.exe and shares malicious data through a pipe. Consequently, it leads to the launch of explorer.exe with the malicious RemcosRAT residing in the memory of explorer.exe.
Figure 2–RemcosRAT workflow
The investigation begins with a .lnk file. A .lnk file is a Windows shortcut that points to another file, folder, or application. It allows users to access the linked resource quickly without navigating to its location. Cybercriminals can create .lnk files that, while appearing to be shortcuts to legitimate applications or documents, actually point to and execute malicious software.
In this case, the malicious .lnk file gathers information regarding antivirus products installed on the target computer. It verifies if the display name corresponds to 'Windows Defender'. If so, it proceeds to replace the term with an empty string. As a result, the condition within the ‘if’ statement becomes false, preventing the execution of the ‘exit’ statement. Consequently, the script seamlessly continues with any subsequent code.
Figure 3–LNK file
Towards the end of the .lnk file, the threat actor has obfuscated the URL string. Upon deobfuscation, the string is then executed using MSHTA. The execution code is provided below.
We retrieved the 6.hta file for analysis, discovering that it contains a VBScript file with fully obfuscated script content.
Figure 4–HTA file contains Vbscript
Following the successful deobfuscation of the VBScript, we obtained a PowerShell script. The snapshot below illustrates the deobfuscated code result.
The PowerShell script below represents the deobfuscated flow:
- It initializes a string encoded in Base64, referred to as $lcjcj, and a second Base64-encoded string denoted as $VZnHIGNa.
- It creates an AES decryption object $WrwQUj with specific properties such as CipherMode, PaddingMode, BlockSize, KeySize, and Key, using the Base64-decoded value of $VZnHIGNa.
- It extracts the initialization vector (IV) from the payload.
- It creates a decryptor and decrypts a portion of the payload using AES.
- It creates memory streams and a GzipStream to decompress the decrypted payload.
- It converts the decompressed payload into a byte array.
- It converts the byte array to a UTF-8 string.
- It uses the | powershell - syntax to execute the decrypted payload as a new PowerShell process.
- The actual payload is contained in the variable $hQkGkZK. This payload is the result of executing the PowerShell code contained within the original Base64-encoded string $lcjcj
Figure 5–Uptycs alert: MSHTA execution with internet
The outcome ($hQkGkZK) of the deobfuscated process yielded another PowerShell script containing encoded data, as depicted in the snapshot below.
Figure 6–Powershell script
- It creates file paths by leveraging the user's AppData directory and specific file names.
- It verifies the existence of particular files (word_update.exe and ofer.docx) using Test-Path.
- If these files are present, it invokes the DcO function to carry out actions based on the file extensions. In the absence of these files, it utilizes the JWF function to download data, writes it to a file using JBH, and subsequently calls DcO to perform actions based on the file extensions.
Figure 7–Powershell script and payload execution
Uptycs captured all PowerShell activities deemed suspicious, presenting the de-obfuscated content in the snapshot.
Figure 8–Uptycs alert: powershell suspicious entry
The payloads, namely word_update.exe and ofer.docx, are downloaded from the domain new-tech-savvy[.]com.
The payload files(Doc,exe) are placed in the root of the roaming folder(%appdata%).
Request for downloading word_update.exe.
Figure 9–Downloading executable payload
Upon running word_update.exe, it generates a self copy file in a newly created folder within the roaming directory(%appdata%). However, the name of the self copy file is altered.
Figure 10–Uptycs alert: Process execution from AppData folder
The malware established persistence by creating an entry in the startup folder through the generation of an LNK file. Consequently, fmTask_dbg.exe is executed each time the machine is booted.
The file contains unusual resource data, which is then transferred to memory, and the content undergoes decryption through XOR operations. This is the first level of decryption.
Figure 11–Xor loop
Following this, it invokes the WriteFile API function, where the file handle is denoted by 0x59c, pointing to an unnamed file: \filesystem\npfs. Unnamed pipes necessitate the passing of their handles to the corresponding communicating processes to facilitate the exchange of data.
Figure 12–Handle of unnamed pipe object in which data written by WriteFile API
Threat actors often resort to techniques such as process injection or hollowing to execute malicious code within authentic processes. However, employing a clever strategy, attackers leverage pipes to effectively bypass detection by EDR/AV systems. Initially, the malicious actor spawned a legitimate child process, cmd.exe, using the CreateProcess API without activating the suspended mode. Subsequently, the attacker implemented a plan to move the decrypted output data from the first level (depicted in Figure 11) to cmd.exe.
Figure 13–Uptycs event alert: Createpipe write event
This process was executed through the WriteFile API, utilizing a handle directed at an unnamed pipe. Upon successful completion, the data was transmitted from word_update.exe to cmd.exe. Figure 14 visually represents the memory of cmd.exe with Read-Write protection, housing the malicious data shared through the pipe.
Figure 14– Data moved to memory of cmd.exe
The data in the memory is decrypted during runtime and initiates the execution of the Remcos Remote Access Trojan (RAT). After that launch explorer and moved malicious data in that memory.
Figure 15–Remcos binary in the memory of cmd.exe (RW)
The Remcos execution flow from word_update.exe.
Figure 16–Remcos execution flow from word_update.exe
Uptycs capture of the explorer.exe with malicious activities.
Figure 17–Uptycs alert: Explorer.exe with malicious activity
Upon extracting the binary from cmd.exe memory, we obtained the RemcosRAT payload. Within the payload's Resource section, there is an RCDATA that stores data encrypted using RC4.
Figure 18–RC4 encrypted data in RCDATA
By utilizing CyberChef, we decrypted the data, revealing the configuration file of RemcosRAT.
Figure 19–Cyberchef decryption
C2 Host: port:password: 18.104.22.168:6438:1
copy file: remcos.exe
copy folder: Remcos
Keylog folder: Remcos
Screenshot folder: Screenshots
Keylog file: logs.dat
The Remcos version identified is 4.9.2 Pro, and it has successfully gathered information about the victim, including the computer name and username.
RemcosRAT removes cookies and login data from the following browsers: Internet Explorer, Firefox, and Chrome. This action aids in preventing the recording of malware entries on the victim machines.
Figure 20–Browser data
It configures registry values for the executable path, license, and time associated with the thread.
Figure 21–Registry key
Request for downloading ofer.docx.
Figure 22–Downloading document payload
Dropped file alert from uptycs.
Figure 23–Uptycs alert: Dropped doc filee
After the download of ofer.docx is complete, it is executed using winword.exe.This file does not contain macros; instead, it displays a defensive message from a consultant to the Israel Defense Forces (IDF).
Figure 24–Document File with Ukrainian language and Defense theme
Figure 25–Translated word document
Initially, virustotal did not detect any instances of word_update.exe. However, at the same time, Uptycs XDR detected RemcosRAT.
Figure 26–Virustotal detection
Uptycs XDR coverage
Uptycs XDR demonstrates robust detection capabilities, featuring built-in YARA support and advanced functionalities for identifying threats such as RemcosRAT. Users can efficiently scan for potential risks, leveraging the contextual detection power of XDR to access crucial details about detected malware. Navigating to the toolkit data section within the detection screen allows users to easily explore comprehensive profiles of identified items.
Additionally, Uptycs excels in addressing cybersecurity threats by providing the capability to decode and decrypt obfuscated PowerShell scripts, expanding its arsenal for thorough threat detection and mitigation. A notable highlight is the detection graph presented on the detection page, offering a dynamic visual representation of process relationships, including interconnected files, sockets, and lateral movements during an incident.
Figure 27–Uptycs detection
Conclusion and precaution
To defend against malware attacks like the RemcosRAT, it is recommended to:
- Utilize sophisticated email filtering solutions to autonomously identify and eliminate spam messages prior to reaching users' email inboxes.
- Refrain from clicking on hyperlinks or opening attachments in emails identified as spam.
- Deploy network monitoring tools to identify abnormal communication patterns that could signal the presence of remote access tools.
- Consistently examine and secure system configurations, verifying that superfluous services and startup entries are either disabled or closely monitored.
- Leverage tools based on behavioral analysis to identify unusual activities that may suggest attempts by RATs to establish persistence or communicate with command and control servers.
Read more blogs from our Threat Research Team to discover the latest
threat intelligence and defensive measures.