Threat Research

Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland

Morphisec

Morphisec Threat Labs uncovered UAC-0184 using the IDAT loader to deliver the Remcos RAT via steganography and module-stomping techniques, with payload retrieval dependent on a specific download key and dynamic API resolution. Key IOCs include a Remcos C2 at 194.87.31[.]181, a malicious downloader URL, and the DockerSystem_Gzv3.exe sample hash. #UAC-0184 #IDAT #Remcos #CERT-UA

Keypoints

  • IDAT loader used embedded steganographic PNGs (marker 0xEA79A5C6) to hide and extract payload code from image pixel data.
  • The loader downloads/configures stages from a URL (hxxps://aveclagare[.]org/…), requiring the response content ‘(func’ as a decryption key for the next stage.
  • Dynamic API resolution and runtime decryption: the loader resolves InitOnceExecuteOnce and VirtualProtect at runtime, makes .text RWX, copies decrypted code there, and transfers execution.
  • Injection and module stomping: the loader injects the next stage into a legitimate library (PLA.dll) to evade detection and execute Remcos RAT.
  • Remcos RAT provides C2 communications (example: 194.87.31[.]181) used for remote control, data collection, and exfiltration.
  • Distinct artifacts include a unique user-agent string ‘racon’, a downloader filename/EXE (DockerSystem_Gzv3.exe) with a known hash, and identifiable stego markers and extracted code patterns.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Used as the initial delivery vector in related incidents: ‘delivered as a phishing email claiming to be from an Israel Defense Forces consultant’
  • [T1027.003] Steganography – Hiding payload inside image pixel data; loader used an embedded steganographic PNG and marker ‘0xEA79A5C6′ to locate and extract the payload: ’embedded steganographic PNG to locate and extract the payload, identified by the value 0xEA79A5C6 as the starting point.’
  • [T1055] Process Injection – The second stage injects shellcode into a legitimate DLL or new process to execute payloads: ‘inject the succeeding stage code to the loaded legitimate library, otherwise popularized as ‘Module Stomping’.’
  • [T1204.002 / T1059] Execution via User Execution / Command and Scripting Interpreter – The loader decrypts and transfers execution to in-memory code, altering .text and calling the copied stage: ‘copies the following stage code to a predefined function location in the .text section and transfers the execution point to the just copied code through a regular call.’
  • [T1547] Persistence – Use of the loader to deploy Remcos supports continued access on compromise: ‘the usage of the IDAT loader to deliver the Remcos RAT… ensures persistent access to the compromised system.’
  • [T1548] Abuse Elevation Control Mechanism (Privilege Escalation) – Code injection/module stomping can enable execution with elevated privileges: ‘code injection techniques like module stomping can lead to privilege escalation.’
  • [T1071] Application Layer Protocol (Command and Control) – Remcos establishes C2 channels to communicate with attacker servers: ‘The Remcos RAT establishes a command and control channel to communicate with the attacker’s server and receive further instructions.’
  • [T1119] Automated Collection – Post-compromise capabilities include data collection and surveillance: ‘allows attackers to quickly and easily control an infected computer, steal personal information, and surveil a victim’s activity.’
  • [T1041] Exfiltration Over C2 Channel – Collected data can be sent back to attacker infrastructure via established Remcos C2 channels (example C2: ‘194.87.31[.]181’).

Indicators of Compromise

  • [IP] Remcos C2 – 194.87.31[.]181 (listed as Remcos command-and-control server)
  • [URL/Domain] Downloader endpoint – hxxps://aveclagare[.]org/wp-content/plugins/wpstream/public/js/youtube.min.js (used to return ‘(func’ as decryption key)
  • [Filename / Hash] Malicious dropper/sample – DockerSystem_Gzv3.exe – 4b36a82e1781ffa1936703971e2d94369e3059c8524d647613244c6f9a92690b
  • [String / Marker] Steganographic marker – 0xEA79A5C6 used as the start offset to extract embedded payload from PNG
  • [User-Agent / Artifact] Unique campaign user-agent – ‘racon’ (used as a key/identifier in connectivity and delivery checks)

The technical execution begins with a multilayer IDAT loader that embeds modules and a steganographic PNG within its primary executable. The loader first retrieves or validates a download endpoint (notably hxxps://aveclagare[.]org/…), expecting the literal content ‘(func’ to serve as the decryption key. Using that key, the loader decrypts an in-file code block, dynamically resolves API names at runtime (including InitOnceExecuteOnce), and then modifies memory protections via resolved VirtualProtect to set the .text section to RWX so it can copy and call the decrypted stage in-memory.

Payload extraction relies on steganography: the embedded PNG contains encoded bytes starting at marker 0xEA79A5C6; the loader parses the image pixel data to reconstruct the next-stage code. After decryption and in-memory staging, the loader uses module stomping by loading a legitimate system DLL (PLA.dll) and injecting the succeeding stage into that library to evade detection, ultimately deploying the Remcos RAT payload.

Once active, Remcos establishes application-layer C2 communications (example C2: 194.87.31[.]181) for remote command execution, data collection, and exfiltration. Other notable artifacts useful for detection and hunting include the downloader filename DockerSystem_Gzv3.exe and its hash (4b36a8…), the unique user-agent string ‘racon’, and the stego marker 0xEA79A5C6 within embedded PNG data.

Read more: https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga