A hacker group that has been targeting Ukraine for some time has launched a new campaign against government agencies using a familiar surveillance tool, Remcos.
Hackers can abuse sophisticated remote access software sold and advertised as a legitimate administration tool to take full control of an infected system.
According to research by the National Computer Emergency Response Team (CERT-UA), in a recent attack, hackers sent phishing emails to their targets, disguising them as official requests from the Security Service of Ukraine (SBU).
In the email, the hackers asked victims to provide certain information, claiming it was critical to “national security.” The fake letter contained a warning that if the recipients did not provide the information within the specified period, they would be prosecuted.
The requested information was allegedly listed in an attached PDF file that actually installed Remcos on the target device.
CERT-UA tracks the threat behind this company as UAC-0050. A spokesperson for the agency told Recorded Future News that the group has been active since at least 2020, targeting government institutions not only in Ukraine, but also in the Baltic states and Russia. According to CERT-UA, this year the group was not very active.
In February, the group attacked Ukrainian government bodies twice with Remcos. In one case, hackers sent phishing emails to their victims, disguising them as official requests from the Kyiv court.
Earlier that month, the group sent its targets fake emails containing a malicious file, posing as reminders to pay for services from Ukrtelecom, a major Ukrainian Internet provider.
The new CERT-UA report did not specify the purpose of the recent campaign, but an agency representative said it was most likely an espionage campaign.
Although the researchers did not directly attribute the attack to Russia, they found that the domain names used by the hackers were registered through the Russian company REGRU. (that is, the narrow ones are still somehow involved, who would doubt it)
Remcos was developed by German firm Breaking Security to remotely control Windows systems, according to research by cybersecurity firm Trend Micro.
Breaking Security openly promotes Remcos, describing it as a “lightweight, fast and customizable remote administration tool with a wide range of features”. Users can download the free version of the software or purchase the premium version for $85.
In addition to providing remote access, Remcos may also collect data from target devices, including computer information such as name, system type, and processor version number, as well as user credentials and personal information.
Remcos can also bypass antivirus protection by running as a legitimate Windows process and gain administrative privileges to disable User Account Control.
According to cybersecurity company Check Point, the software is usually embedded in a malicious ZIP file that masquerades as a PDF that purports to contain an invoice or purchase order.
In one attack last year, attackers disguised a phishing email as a payment notification from a trusted bank and asked the recipient to open an attached Excel file, according to Fortinet research.
This Excel file displayed a yellow security bar that warned the victim about unsafe macro code. The message about the file prompted the victim to press a button to bypass the warning and execute the malicious macro code, explains Fortinet. That is why we say that we must always be one step ahead and we do not open any links or files, especially from unknown ones (even if it seems to be from states, examples for you above). It would also not be superfluous to learn how to defend the state online, because every year there are more and more attacks.