Ukraine CERT-UA warns of phishing attacks employing Remcos software

The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a new wave of attacks against state authorities to deploy the Remcos software.

The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a phishing campaign aimed at state authorities that involves the use of the legitimate remote access software Remcos.

The phishing emails, allegedly from JSC “Ukrtelecom”, have the subject “Court claim against your personal account # 7192206443063763 dated: 06.02.2023” and come with .RAR attachment named “court letter, information on debt.rar”.

The RAR archive contains a text document named “Your personal access code -254507.txt” and another password-protected RAR-archive named “court letter, information on debt. pdf.rar.” The latter archive contains an executable named “court letter, information on debt.pdf.exe.” Upon executing the executable, an the Remcos remote monitoring and surveillance program is installed on the victim’s machine.

The alert pointed out that this executable is more than 600MB in size.

Remcos is a legitimate remote monitoring and surveillance software developed by the company “BreakingSecurity.”

The CERT-UA attributed the campaign to a nation-state actor tracked as UAC-0050.

“Detected activity has been tracked under UAC-0050 since at least 2020. Previous cyberattacks by the mentioned group were carried out using the program for remote administration RemoteUtilities.” reads the alert issued by the Ukrainian CERT. “Based on the fact that the objects of cyberattacks are usually (but not exclusively) the state authorities of Ukraine, and also, taking into account the functionality of the programs used, we believe that the activity is carried out for the purpose of espionage.”

The alert published by the CERT-UA also included Indicators of Compromise (IoCs).

Recently, the State Cyber Protection Centre (SCPC) of Ukraine also warned of targeted attacks conducted by the Russia-linked APT group Gamaredon (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa) against public authorities and critical information infrastructure in Ukraine.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Remcos)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.