New IDAT Loader attacks using steganography to implement Remcos RAT

New IDAT Loader attacks using steganography to implement Remcos RAT

Ukrainian entities based in Finland have been targeted as part of a malicious campaign that distributed a commercial remote access Trojan known as Remcos RAT using a malware loader called IDAT Loader.

The attack is attributed to a threat actor tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) under the name UAC-0184.

“The attack, as part of the IDAT Loader, used steganography as a technique,” ​​said Morphisec researcher Michael Dereviashkin said in a report shared with The Hacker News. “While steganographic or ‘Stego’ techniques are well known, it is important to understand their role in defense evasion to better understand how to defend against such tactics.”


IDAT Loader, which overlaps with another loader family called Hijack Loader, has been used in recent months to serve additional payloads such as DanaBot, SystemBC and RedLine Stealer. It has also been used by a threat actor, traced as TA544, to spread Remcos RAT and SystemBC via phishing attacks.

The phishing campaign – revealed for the first time by CERT-UA in early January 2024 – involve the use of war-themed lures as a starting point to initiate a chain of infection leading to the deployment of IDAT Loader, which in turn uses an embedded steganographic PNG to locate and target Remcos extract RAT.

The development comes as CERT-UA revealed that defense forces in the country have been targeted via the instant messaging app Signal to distribute a booby-trapped Microsoft Excel document that runs COOKBOX, a PowerShell-based malware capable of loading and executing cmdlets. CERT-UA attributed the activity to a cluster called UAC-0149.


It also follows the resurgence of malware campaigns spreading PikaBot malware since February 8, 2024, using an updated variant that appears to be currently in active development.

“This version of the PikaBot loader uses a new unpacking method and heavy obfuscation,” says Elastic Security Labs said. “The core module added a new implementation of string decryption, changes to obfuscation functionality, and several other tweaks.”

#IDAT #Loader #attacks #steganography #implement #Remcos #RAT

Notify of
Inline Feedbacks
View all comments
Previous Post
Cloud Attack Tactics

Five Eyes agencies expose APT29’s evolving cloud attack tactics

Next Post
Malicious npm Packages

North Korean hackers target developers with malicious npm packages

Related Posts