The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert warning of cyber attacks against state authorities in the country that deploy a legitimate remote access software named Remcos.
The mass phishing campaign has been attributed to a threat actor it tracks as UAC-0050, with the agency describing the activity as likely motivated by espionage given the toolset employed.
The bogus emails that kick-start the infection sequence claim to be from Ukrainian telecom company Ukrtelecom and come bearing a decoy RAR archive. Of the two files present in the file, one is a password-protected RAR archive that’s over 600MB and the other is a text file containing the password to open the RAR file.
Embedded within the second RAR archive is an executable that leads to the installation of the Remcos remote access software, granting the attacker full access to commandeer compromised computers.
Remcos, short for remote control and surveillance software, is offered by Breaking Security either for free or as a premium version that costs anywhere between €58 and €945.
The Italian company calls it a “lightweight, fast and highly customizable Remote Administration Tool with a wide array of functionalities.”
The latest CERT-UA advisory comes as the State Cyber Protection Centre (SCPC) of Ukraine pointed fingers at a Russian state-sponsored threat actor known as Gamaredon for its targeted assaults aimed at public authorities and critical information infrastructure.