UAC-0050 Hackers Elevate Tactics with Stealthy Remcos Malware Techniques

A new report reveals that a hacker group engaged in cyber espionage against Ukraine is enhancing its techniques for increased stealth and effectiveness. Identified as UAC-0050, the group predominantly employs Remcos, a remote surveillance tool, to target Ukrainian government agencies. Uptycs cybersecurity researchers have identified a novel method used by the hackers, allowing them to transfer malicious data efficiently without detection.

The hackers have implemented a communication technique known as the “pipe method,” enabling different programs or components of a computer system to seamlessly exchange information. By utilizing “pipes” within the Windows operating system, the hackers establish a covert channel for data transfer, effectively evading antivirus systems. While not entirely new, this technique represents a significant advancement in the group’s strategies, according to researchers.

In December, Ukraine’s computer emergency response team (CERT-UA) uncovered an attack by UAC-0050 on government agencies using Remcos. The hackers disguised phishing letters as requests from Ukraine’s security service (SBU) and Kyivstar, the country’s telecom operator, recently subjected to a cyberattack.

In a parallel campaign identified by Uptycs in December, hackers sent malicious emails posing as job offers, specifically targeting Ukrainian military personnel for consultancy roles with the Israel Defense Forces (IDF). The group’s previous campaigns followed a similar attack pattern.

CERT-UA reported that UAC-0050 has been active since at least 2020, targeting government agencies in Ukraine, the Baltic states, and Russia. Despite its activity, the group has not been linked to any known threat actor or specific country.

While the speculation about state sponsorship persists, Uptycs researchers emphasize the undeniable risk posed by the group, especially to government sectors relying on Windows systems. The group’s primary tool, Remcos, developed by Germany-based Breaking Security, is a remote administration tool with various functionalities, available for free or as a premium version for $80.

When exploited by hackers, Remcos can gather victim information, remove cookies and login data from browsers like Internet Explorer, Firefox, and Chrome, and bypass antivirus protection by running as a legitimate Windows process with administrative privileges.