Remcos RAT malware distributed via Windows UAC bypass

Organizations across Eastern Europe are being targeted in a new malware campaign exploiting a Windows User Account Control bypass to distribute the DBatLoader and Remcos RAT malware, according to BleepingComputer. Attackers commence the operation with phishing emails disguised as invoices and other financial files that include a tar.lz archive with the DBatLoader executable, a report from SentinelOne revealed. Victims are lured into opening DBatLoader's initial stage payload, which masquerades as Microsoft Office, PDF, or LibreOffice documents, which will be followed by the retrieval of the second-stage payload from Microsoft OneDrive or Google Drive. However, Remcos RAT will only be loaded following DBatLoader's execution of a Windows batch script exploiting a Windows UAC evasion technique involving both mock trusted directories and DLL hijacking. "easinvoker.exe is an auto-elevated executable, meaning that Windows automatically elevates this process without issuing a UAC prompt if located in a trusted directory the mock %SystemRoot%System32 directory ensures this criteria is fulfilled," said researchers.