Ukraine has been targeted by the UAC-0050 threat operation with more advanced phishing attacks spreading the Remcos RAT surveillance tool, which involved the use of a pipe technique for interprocess communication in a bid to better bypass security system detection, according to The Hacker News.
Despite uncertainties in the attack vector leveraged in the new intrusions, UAC-0050 has been suspected to have used phishing messages promoting Israel Defense Forces consultancy vacancies to Ukrainian military personnel, a report from Uptycs revealed.
Such emails contained a LNK file that retrieves antivirus system information in targeted systems before installing an HTML application that prompts the execution of two PowerShell scripts and a pair of files. One of the files then uses unnamed pipes for data exchange with a new cmd.exe child process for Remcos RAT decryption and execution.
"Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems. Although not entirely new, this technique marks a significant leap in the sophistication of the group's strategies," said researchers.