Pierluigi Paganini February 27, 2024

A new malware campaign is targeting a Ukraine entity in Finland with Remcos RAT distributed via a loader called IDAT Loader.

Morphisec Threat Labs researchers observed a new malware campaign targeting a Ukraine entity in Finland with Remcos RAT distributed via a loader called IDAT Loader.

The Computer Emergency Response Team of Ukraine (CERT-UA) linked the attacks to a threat actor tracked as UAC-0184.

The attackers employed steganography as a technique to hide a malicious payload in an image evading signature-based detection.

Remcos is a commercial remote access trojan (RAT) that can allow operators to take over the infected systems. 

Researchers from cybersecurity firm Uptcycs observed a Remcos RAT campaign using phishing emails claiming to be from an Israel Defense Forces consultant.

IDAT stands out as a sophisticated loader that can be used to deploy multiple malware families, including Danabot, SystemBC, and RedLine Stealer. The modular architecture of the IDAT loader allows it to easily add new features. The loader already supports code injection and execution modules, distinguishing it from conventional loaders.

The malware implements multiple evasion techniques, including dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls. The IDAT loader relies on a multi-stage infection chain.

“The initial stage downloads or loads the second stage, housing a module table and the primary instrumentation shellcode. The second stage injects this shellcode into a legitimate DLL or a new process. Subsequently, the main instrumentation shellcode decrypts and executes the final payload, adapting its injection or execution based on file type and configuration flags.” reads the analysis published by Morphisec. “Interestingly, in this case the IDAT modules were embedded within the primary executable, which is commonly downloaded from a remote server.” 

The sample of IDAT loader that was analyzed by the researchers borrows the code from the loader family dubbed Hijack Loader.

The researchers noticed that threat actors behind IDAT Loader used a distinctive array of Tactics, Techniques, and Procedures (TTPs) to avoid explicit connections to prior campaigns.   

The researchers shared Indicators of Compromise (IOCs) for this threat, however an extensive list of IOCs can be found in the CERT-UA bulletin. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyberattack)