Rewterz Threat Alert – New IDAT Loader Malware Deploys Remcos RAT Using Steganography Techniques – Active IOCs

Severity

High

Analysis Summary

Ukrainian individuals and organizations that are based in Finland are being targeted as part of a malicious campaign propagating the infamous commercial remote access trojan Remcos RAT by using a malware loader named IDAT Loader. The campaign has been linked to a threat actor who is tracked as UAC-0184.

The attack chain uses the steganography technique, which is a well-known technique that hides information within another message or object to avoid being detected. It is important to understand its role in defense evasion and how to shield against such tactics. IDAT Loader overlaps with another loader malware family known as HijackLoader and has been used to deliver additional payloads such as SystemBC, DanaBot, and RedLine Stealer within the past months. It was also leveraged by a threat actor tracked as TA544 to spread SystemBC and Remcos RAT through phishing attacks.

The phishing campaign was first reported by researchers at the start of 2024 where the phishing emails used war-themed lures as the initial access vector to start the infection chain, resulting in the deployment of IDAT Loader which then uses an embedded steganographic PNG file to find and fetch Remcos RAT.

The researchers also uncovered that the defense forces in Ukraine have been targeted using the instant messaging app called Signal to spread a malicious Microsoft Excel document that is responsible for executing COOKBOX, which is a PowerShell-based malware capable of loading and executing cmdlets.

It also follows the resurfacing of malware campaigns that have been distributing PikaBot malware since at least February 8^th, 2024, using a new variant currently being actively developed. This version of the PikaBot loader makes use of a new unpacking method as well as relies on heavy obfuscation. The main module of the malware has added a new string decryption implementation that can change to obfuscation functionality and many other modifications.

Impact

• Unauthorized Access
• Exposure to Sensitive Data

Indicators of Compromise

MD5

• 7164008af682b5f3567d50700b4a1b8b
• 7c05cfed156f152139a6b1f0d48b5cc1
• b1f8484ee01a7730938210ea6e851888
• 0b3c248f579a8f5865972218e63c3b34
• f5ee6aa31c950dfe55972e50e02201d3
• 56154fedaa70a3e58b7262b7c344d30a
• 7f87d36c989a11edf0de9af392891d89
• 5c734bb1e41fab9c7b2dabd06e27bc7b
• 1c3e1e0319dc6aa24166d5e2aaaec675
• 7f5d66666298f35932a3eeb3a127fb1a

SHA-256

• 4b36a82e1781ffa1936703971e2d94369e3059c8524d647613244c6f9a92690b
• e4615b74d62f384d23e58bc467c615b17779e4f8084c8a0134db97a5e642027f
• 88f0722c907100ef09049c82032a0ac66afa153d03fb89d378ae65f6e5890a3f
• ef6edacf6ee1e0dd2e53046a91ba84d10a8adda6918ca7aac6e96ead432efbbc
• 5fff1cd29bb6e6cfe9516b70f9f44755098392c2e2a0f4784486182c309b2c99
• f650a9f1930e55e405d7121c56b90a996ab213a05b772a8f02ceb1cdbeb91165
• c5452b859922b9633839e092f09f0ce4818b6085043360c90c0b0f2bfad9fca1
• bd871a2ccd6d7c4f89f9f5087e60cfdcc7ab35b670cfda7ddfd6dbbab8c8560c
• 8f157186dca8c21aeebd31a7253155728c51b239129768ee91df34dc693783f5
• 57954ec0b9069cd82265d6d6dfa8da87cb5c96190ae9f7074d6f7a598fc4131c

SHA-1

• 0d3f2e8e3ca5f9690374a71087b76754fd30ff21
• a9bc862f7143a3e34ba420d624f81a9efd1516fc
• 4ab9c910cfc9690b7f54eba83e30bc1fe6984297
• 54f1ddaeff6595997f1fb55dc56acfc032a56616
• 502bbd516526e579b2b0d0a5aaef0a66659e7fbb
• 31ba4f7a41dda57b4d10ebbc020db9c17012f17c
• e644bc7774cfd1beecea50fb47b8ffd32b092c30
• 1bee4d678beb8928377fbc112eade1af5ec30295
• db3c330fcd97e0a983a13456e22f1b7f4982e5d6
• 8d4b37a3baf4fed49b92fda2ce846ea3082e74f1

Domain Name

• funedunet.com
• new-tech-savvy.com

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.