Uptycs Reveals Hidden Data Channel in Ukrainian Targeted Campaign

A sophisticated cyber-espionage campaign orchestrated by the UAC-0050 threat group, known for targeting Ukrainian entities has been uncovered by Uptycs researchers. The group's deployment of RemcosRAT as its weapon of choice, while not unprecedented, took an innovative turn with the inclusion of a novel data transfer method. Leveraging pipes within the Windows operating system, the attackers established a covert channel for data movement, a tactic that effectively eludes detection by Endpoint Detection and Response (EDR) and antivirus systems.

The initial vector of the attack remained undetermined, but insights from the campaign's associated documents point toward a phishing or email spam campaign. Craftily disguised as job opportunities, these documents targeted Ukrainian military personnel, enticing them with consultancy roles within the Israel Defense Forces (IDF). The attack chain, analyzed by Uptycs, unveiled the use of .lnk files to initiate the download of an HTA file, housing VBS and PowerShell scripts. These scripts, once executed, paved the way for the infiltration of RemcosRAT, cleverly injected into the explorer.exe process residing in the system's memory. To establish persistence, the threat actors employed LNK files strategically placed in the Startup folder, and leveraged pipes to transfer data between processes, to evade detection.

The pipes strategy commenced with the initiation of the cmd.exe process, achieved through the use of the CreateProcess API, all without engaging the suspended mode. Uptycs's research further explains this process was subsequently executed using the WriteFile API, utilizing a handle directed toward an unnamed pipe. Upon the successful execution of this operation, data was discreetly transmitted from the malicious executable process, word_update.exe (downloaded via the PowerShell script), to the cmd.exe process, enabling covert data transfer within the malware operation. Uptycs suspects that the campaign had political motivations, and the demonstrated stealth techniques were employed to facilitate intelligence-gathering efforts.