Cybercrime , Fraud Management & Cybercrime

Ukrainian, Polish Authorities Latest Phishing Wave Targets

Hackers Deploy Remcos RAT and Meduza Stealer Likely for Espionage
Ukrainian, Polish Authorities Latest Phishing Wave Targets
Kyiv after Russian shelling on March 29, 2022 (Image: Shutterstock)

A threat actor with a history of sending Trojan-laced phishing emails targeted Ukrainian and Polish authorities with emails with the subject lines "judicial claims" and "debts," Ukrainian cyber defenders said Thursday.

See Also: How to Build Your Cyber Recovery Playbook

The Computer Emergency Response Team of Ukraine attributed the phishing wave to a threat actor it tracks as UAC-0050. The same hacking group only weeks ago distributed malicious emails mails with the subject "Subpoenas to Court." Cyber defenders in February spotted it sending mass emails allegedly on behalf of the Pechersk District Court of the city of Kyiv. The group has been active since 2020, according to CERT-UA.

In addition to the threat actor, all those campaigns have something in common: Opening the email attachment will likely result in a download of the RemcosRAT, although this latest campaign also contained the MeduzaStealer.

As was the case in this phishing wave, hackers in the previous attack used legitimate compromised accounts of one of the judicial authorities in Ukraine to transmit the phishing emails.

The hackers have also made an effort to stay under the radar by using a program obfuscator called SmartAssembly, which deceives antivirus programs and runs the Remcos RAT payload, CERT-UA said.

Remcos, a short name for Remote Control and Surveillance, is marketed as a legitimate software by Germany-based firm BreakingSecurity for remotely managing Windows systems, but is now widely used in multiple malicious campaigns by threat actors. It can be used to fully control and monitor any Windows computer from XP operating system onward. It can also bypass antivirus protection by running as a legitimate process on Windows and gain admin privileges to disable user account control.

Remcos RAT was one of the top malware strains of 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency. "Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations," CISA said.

This is the third time in the space of a month that the Ukrainian cyber defenders observed a phishing campaign from UAC-0050. In November, it targeted the Ukrainian government agencies with the same Remcos surveillance tool using phishing mails disguised as official requests from the Security Service of Ukraine.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.