Ukrainian entities based in Finland were targeted in a malicious campaign distributing a commercial remote access trojan (RAT) known as Remcos RAT. The attackers utilized a malware loader dubbed IDAT Loader and steganography to evade detection and compromise systems.
The campaign, attributed to a threat actor tracked as UAC-0184, was first detailed by the Computer Emergency Response Team of Ukraine (CERT-UA) in January of this year. The cyberespionage campaign targeted members of the Ukrainian Armed Forces with phishing lures disguised as recruitment efforts for the 3rd Separate Storm Brigade and the Israeli Defense Forces (IDF) to deploy the RemcosRAT and ReverSessh malware.
In the case observed by Morphisec researchers, the attackers leveraged steganography, a technique used to conceal malicious code within innocuous-looking media files, to obfuscate the payload within image data. Despite the visual distortion of the file, the concealed payload managed to evade signature-based detection, facilitating the successful execution of the malware in memory.
IDAT Loader has a modular architecture and advanced capabilities. It is capable of loading various malware families, including Danabot, SystemBC, and RedLine Stealer. It implements features like code injection, dynamic loading of Windows API functions, and evasion tactics such as HTTP connectivity tests and process blocklists. The infection process involves multiple stages, each serving distinct functionalities.
The initial stage involves downloading or loading the second stage, which contains a module table and primary instrumentation shellcode. This shellcode is subsequently injected into a legitimate DLL or a new process, paving the way for the execution of the final payload.
In the observed attack, the IDAT modules were embedded within the primary executable, which is commonly downloaded from a remote server. The attack chain observed by Morphisec starts with a carefully crafted phishing email supposedly from Ukraine's 3rd Separate Assault Brigade or the Israel Defense Forces.
Recipients deceived into opening the attached shortcut file unwittingly triggered an infection chain, ultimately leading to the activation of the modular malware loader 'IDAT.'