Skip to content Skip to footer

A new IDAT Loader is utilizing steganography to distribute the Remcos RAT through malicious attacks.

The world has been rocked by the news that Ukrainian entities based in Finland have been singled out as part of a malicious campaign to distribute the Remcos RAT, a commercial remote access . The attack, attributed to a known as UAC-0184 and tracked by the Computer Emergency Response Team of Ukraine (CERT-UA), has been facilitated by a malware loader called IDAT Loader.

According to Michael Dereviashkin, a researcher at Morphisec, the attack method used steganography as a technique. Although steganography techniques are well-known, it is essential to understand their roles in evasion to better understand how to defend against such tactics.

IDAT Loader, similar to another loader family called Hijack Loader, has been responsible for serving additional payloads such as DanaBot, SystemBC, and in recent months. Another known as TA544 has also used this loader to distribute Remcos RAT and SystemBC via attacks.

The campaign was first disclosed by CERT-UA early in January 2024 and involves using war-themed lures as a starting point to kick-start an infection chain that leads to the deployment of IDAT Loader, which, in turn, uses an embedded steganographic PNG to locate and extract Remcos RAT.

This news follows the revelation that defense forces in Ukraine have been targeted through the Signal instant messaging to distribute a booby-trapped Excel document that executes COOKBOX, a PowerShell-based malware capable of loading and running cmdlets. CERT-UA has attributed the activity to a cluster dubbed UAC-0149.

Meanwhile, malware campaigns propagating PikaBot malware have been resurgent since February 8, 2024, using an updated variant that appears to be currently under active development. According to Elastic Security Labs, this version of the PikaBot loader uses a new unpacking method and heavy obfuscation. The core module has added a new string decryption implementation, changes to obfuscation functionality, and various other modifications.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Dade: You look good in a dress.
- Kate: You would have looked better.
Dade & Kate

Deitasoft © 2024. All Rights Reserved.