The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about ongoing cyber attacks targeting state authorities in the country that use a legitimate remote access software named Remcos.
The widespread phishing campaign has been traced back to a threat actor known as UAC-0050, and the agency has described the nature of the attacks as being likely motivated by espionage given the tools used.
The initial stage of the attack starts with bogus emails, pretending to be from Ukrainian telecom company Ukrtelecom, that contains a decoy RAR archive. The archive has two files: a password-protected RAR file that is over 600 MB and a text file containing the password to open the RAR file.
Once the RAR file is opened, an executable is revealed that leads to the installation of the Remcos remote access software, granting the attacker full control over the compromised computer.
Remcos, a remote control and surveillance software, is available from Breaking Security either for free or as a premium version that costs between €58 and €945. The Italian company touts it as a “lightweight, fast, and highly customizable remote administration tool with a wide array of functionalities.”
This latest warning from CERT-UA comes at a time when the Ukrainian State Cyber Protection Centre (SCPC) is accusing a Russian state-sponsored threat actor known as Gamaredon of launching targeted attacks against public authorities and critical information infrastructure in the country.