A Russian-aligned attacker known as UAC-0184 has been observed leveraging the Viber messaging platform to distribute malicious ZIP archives and target military and government agencies in Ukraine.
“The organization will continue its high-intensity intelligence-gathering operations against the Ukrainian military and government sectors in 2025,” the 360 Threat Intelligence Center said in a technical report.
The hacker group, also tracked as Hive0156, is known for delivering hijack loaders in attacks targeting Ukrainian organizations, primarily using war-themed decoys in phishing emails. The malware loader then acts as a vector for Remcos RAT infection.
This threat actor was first documented by CERT-UA in early January 2024. Subsequent attack campaigns have found that messaging apps such as Signal and Telegram are being used as a means of delivering malware. The latest findings from Chinese security vendors show that this tactic is evolving further.
This attack chain uses Viber as the initial intrusion vector to distribute a malicious ZIP archive containing multiple Windows Shortcut (LNK) files disguised as official Microsoft Word and Excel documents and tricks the recipient into opening them.
The LNK file is designed to act as a decoy document to reduce the victim’s suspicions and silently runs the hijack loader in the background by retrieving a second ZIP archive (‘smoothieks.zip’) from a remote server using a PowerShell script.
The attack rebuilds and deploys the hijack loader in memory through a multi-step process that uses techniques such as DLL sideloading and module stomping to avoid detection by security tools. The loader then scans the environment for installed security software, including security software associated with Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft by calculating the CRC32 hashes of the corresponding programs.
In addition to establishing persistence through a scheduled task, the loader takes steps to disable static signature detection before injecting the Remcos RAT into ‘chime.exe’ and secretly running it. Remote management tools allow attackers to manage endpoints, execute payloads, monitor activity, and steal data.
“Although marketed as legitimate systems management software, its powerful intrusion capabilities make it frequently used by a variety of malicious actors for cyber espionage and data theft operations,” the 360 Threat Intelligence Center said. “Remcos provides a graphical user interface (GUI) control panel that allows attackers to perform batch automated administration and precise manual interaction on victim hosts.”
Source link
