April 19, 2024

Feb 26, 2024The Hacker InformationSteganography / Malware

Ukrainian entities based mostly in Finland have been focused as a part of a malicious marketing campaign distributing a industrial distant entry trojan often known as Remcos RAT utilizing a malware loader referred to as IDAT Loader.

The assault has been attributed to a menace actor tracked by the Laptop Emergency Response Workforce of Ukraine (CERT-UA) below the moniker UAC-0184.

“The assault, as a part of the IDAT Loader, used steganography as a method,” Morphisec researcher Michael Dereviashkin said in a report shared with The Hacker Information. “Whereas steganographic, or ‘Stego’ strategies are well-known, it is very important perceive their roles in protection evasion, to raised perceive learn how to defend in opposition to such techniques.”


IDAT Loader, which overlaps with one other loader household referred to as Hijack Loader, has been used to serve extra payloads like DanaBot, SystemBC, and RedLine Stealer in latest months. It has additionally been utilized by a menace actor tracked as TA544 to distribute Remcos RAT and SystemBC by way of phishing assaults.

The phishing marketing campaign – first disclosed by CERT-UA in early January 2024 – entail utilizing war-themed lures as a place to begin to kick-start an an infection chain that results in the deployment of IDAT Loader, which, in flip, makes use of an embedded steganographic PNG to find and extract Remcos RAT.

The event comes as CERT-UA revealed that protection forces within the nation have been focused by way of the Sign on the spot messaging app to distribute a booby-trapped Microsoft Excel doc that executes COOKBOX, a PowerShell-based malware that is able to loading and executing cmdlets. CERT-UA has attributed the exercise to a cluster dubbed UAC-0149.


It additionally follows the resurgence of malware campaigns propagating PikaBot malware since February 8, 2024, utilizing an up to date variant that seems to be at the moment below lively improvement.

“This model of the PikaBot loader makes use of a brand new unpacking methodology and heavy obfuscation,” Elastic Safety Labs said. “The core module has added a brand new string decryption implementation, modifications to obfuscation performance, and varied different modifications.”

Discovered this text fascinating? This text is a contributed piece from one among our valued companions. Observe us on Twitter and LinkedIn to learn extra unique content material we publish.