A new phishing campaign has been discovered that targets Eastern European organizations with the Remcos RAT malware. The attackers use an old Windows User Account Control (UAC) bypass method that was first documented in 2020 and involves using mock trusted directories to bypass UAC and run malicious code without prompting the user.
The emails sent to the victims are typically masked as financial documents, and the attachments are tar.lz archives containing the DBatLoader executable.
The loader is disguised as a Microsoft Office, LibreOffice, or PDF document, and upon launching, a second-stage payload is fetched from a public cloud service.
DBatLoader creates mock trusted directories to bypass UAC, and copies legitimate executables and malicious DLLs to it. The script used by DBatLoader creates a “C:Windows System32” folder, which is an imitation directory with a trailing space.
Windows treats “C:Windows” and “C:Windows ” as the same folder, tricking the operating system into thinking C:Windows System32 is a trusted folder and should have its files auto-elevate without a UAC prompt.
The malware loader adds the malicious script (“KDECO.bat”) to Microsoft’s Defender exclusion list and establishes persistence for Remcos by creating a new registry key.
Eventually, Remcos is executed through process injection, configured with keylogging and screenshot-snapping capabilities. System administrators are advised to configure Windows UAC to “Always Notify,” and monitor for suspicious file creations or process executions in trust filesystem paths with trailing spaces, especially folders containing the string “Windows”.
Sentinel One suggests that the use of mock trusted directories to bypass UAC in this phishing campaign is significant because it has been known since 2020 but remains effective today.
The attackers send phishing emails from top-level domains that match the recipient’s country, which reduces the chances of the victims successfully opening the attachment but also helps in evading detection from antivirus software and email security tools.
The use of a tar.lz archive as an attachment is an unusual choice of file format that further reduces the chances of the victims successfully opening the attachment.
