Threat operation UAC-0050 has leveraged the Remcos surveillance tool in new attacks against Ukrainian government agencies believed to be part of a cyberespionage campaign, reports The Record, a news site by cybersecurity firm Recorded Future.
Organizations targeted by the campaign have been sent phishing emails purportedly from Ukraine's security service seeking recipients to fill out certain information in an attached PDF document, which facilitated Remcos installation, according to a report from Ukraine's Computer Emergency Response Team.
Remcos, which could enable not only remote access and data exfiltration but also evade antivirus systems, has already been leveraged by UAC-0050 in two campaigns targeted at Ukraine in February, the first of which involved phishing emails spoofing payment reminders from major Ukrainian internet service provider Ukrtelecom, while the other used emails masquerading as official Kyiv court requests.
UAC-0050 leveraged Russian firm REG.RU for domain registration but has not yet been linked to a specific nation-state actor.
Increasingly prevalent state-sponsored intrusions have been partly fueled by escalating activities from both countries' non-state attackers, with Russia commonly tapping hacktivist groups and China partnering with universities and businesses in its malicious cyber operations.
Malicious emails delivered by attackers — who sometimes spoofed Microsoft employees or leveraged Microsoft- and Amazon Web Services-related social engineering lures — included Remote Desktop Protocol configuration files as attachments, which when executed established a connection between the targeted devices and the attacker-controlled server.