网络钓鱼策略新变种：UAC-0050组织分发Remcos RAT

The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software.

威胁行为者UAC-0050正在利用网络钓鱼攻击使用新策略分发Remcos RAT，以逃避安全软件的检测。

"The group's weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal," Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi said in a Wednesday report.

"该组织的选择武器是臭名昭著的远程监视和控制恶意软件Remcos RAT，该软件一直是其间谍武器库的先锋，"Uptycs安全研究人员Karthickkumar Kathiresan和Shilpesh Trivedi在周三的一份报告中表示。

"However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability."

"然而，在他们最新的操作变法中，UAC-0050小组已经整合了一种管道方法进行进程间通信，展示了他们的高级适应能力。"

UAC-0050, active since 2020, has a history of targeting Ukrainian and Polish entities via social engineering campaigns that impersonate legitimate organizations to trick recipients into opening malicious attachments.

UAC-0050自2020年以来一直通过针对乌克兰和波兰实体的社会工程活动进行网络钓鱼攻击，冒充合法组织以欺骗接收者打开恶意附件。

In February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed the adversary to a phishing campaign designed to deliver Remcos RAT.

2023年2月，乌克兰计算机应急响应团队(CERT-UA)将对手归因于一场用于传播Remcos RAT的网络钓鱼活动。

Over the past few months, the same trojan has been distributed as part of at least three different phishing waves, with one such attack also leading to the deployment of an information stealer called Meduza Stealer.

在过去几个月里，同样的特洛伊木马已经作为至少三次不同的网络钓鱼攻击的一部分进行了分发，其中一次攻击还导致了信息窃取者Meduza Stealer的部署。

The analysis from Uptycs is based on a LNK file it discovered on December 21, 2023. While the exact initial access vector is currently unknown, it's suspected to have involved phishing emails targeting Ukrainian military personnel that claim to advertise consultancy roles with the Israel Defense Forces (IDF).

Uptycs的分析基于其于2023年12月21日发现的一个LNK文件。虽然目前还不清楚确切的初始接入矢量，但有理由怀疑涉及针对乌克兰军事人员的网络钓鱼邮件，声称向以色列国防军(IDF)提供咨询职位。

The LNK file in question collects information regarding antivirus products installed on the target computer, and then proceeds to retrieve and execute an HTML application named "6.hta" from a remote server using mshta.exe, a Windows-native binary for running HTA files.

有问题的LNK文件收集有关目标计算机上安装的防病毒产品的信息，然后继续从远程服务器使用mshta.exe检索和执行名为"6.hta"的HTML应用程序。

This step paves the way for a PowerShell script that unpacks another PowerShell script to download two files called "word_update.exe" and "ofer.docx" from the domain new-tech-savvy[.]com.

这一步为一个PowerShell脚本铺平了道路，该脚本解压另一个PowerShell脚本，从域new-tech-savvy[.]com下载名为"word_update.exe"和"ofer.docx"的两个文件。

Running word_update.exe causes it to create a copy of itself with the name fmTask_dbg.exe and establish persistence by creating a shortcut to the new executable in the Windows Startup folder.

运行word_update.exe会导致其创建一个名为fmTask_dbg.exe的副本，并通过在Windows启动文件夹中创建一个新可执行文件的快捷方式来建立持久性。

The binary also employs unnamed pipes to facilitate the exchange of data between itself and a newly spawned child process for cmd.exe in order to ultimately decrypt and launch the Remcos RAT (version 4.9.2 Pro), which is capable of harvesting system data and cookies and login information from web browsers like Internet Explorer, Mozilla Firefox, and Google Chrome.

该二进制文件还使用未命名管道来促进数据在自身和一个新生成的cmd.exe的子进程之间的交换，最终解密和启动Remcos RAT(4.9.2专业版)，该软件能够从Internet Explorer、Mozilla Firefox和Google Chrome等Web浏览器中收集系统数据、Cookie和登录信息。

"Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems," the researchers said.

"在Windows操作系统内部利用管道提供了一种数据传输的隐蔽通道，巧妙地规避了终端检测和响应(EDR)和防病毒系统的检测。"研究人员说。

"Although not entirely new, this technique marks a significant leap in the sophistication of the group's strategies."

"虽然这种技术并非全新，但它标志着该组织战略的复杂性上的重大飞跃。"

原文始发于微信公众号（知机安全）：网络钓鱼策略新变种：UAC-0050组织分发Remcos RAT