Windows UAC Bypass Method Still in Use by Attackers

New Phishing Campaign Targets Eastern European Organizations Using Remcos Rat Malware

A new phishing campaign targeting Eastern European organizations has been discovered, using the malware in Remcos Rat. The attackers employ the old method of bypassing control of Windows accounts using mock catalogs.

It was first revealed in 2020 that the use of fictitious entrusted catalogs could detour Windows accounting, and this method remains effective today. The latest Remcos campaign was observed and analyzed by Sentinelone researchers, who documented their findings in a detailed report.

The phishing campaign sends letters from top-level domains corresponding to the recipient’s country, often disguising them as tender or financial documents. The letters are designed to attract the recipient’s attention and contain an archive called “Tar.Lz” containing the executable file dbatloader. This file format reduces the victim’s chances of opening the attachment, making it challenging to detect by antivirus software and email protection means.

The payload of the first stage of the malicious bootloader is disguised as a Microsoft Office, Libreoffice, or PDF document using double extensions and applications to deceive the victim and make them open the file. The second stage’s useful payload is extracted from a public cloud service such as Microsoft OneDrive or Google Drive.

Before loading Remcos Rat, dbatloader creates and performs a Windows package script to abuse the UAC bypassing Windows. The method includes the use of the DLL interception combination and the imitation of entrusted catalogs to start the malware without a user request.

The built-in Windows conductor considers fake catalogs like “C:WindowsSystem32” as trusted folders. Dbatloader creates the “C:WindowsSystem32” folder and copies the legal executable files “Easinvoker.exe” with malicious DLL “Netututils.dll.”

The Windows UAC is a protection mechanism introduced by Microsoft in Windows Vista that requests users to confirm the execution of high-risk applications. By bypassing the UAC using fake catalogs, the attackers can gain increased rights for executable files without displaying the request to the user.

The use of this malware in phishing campaigns continues to be a major threat to organizations, and continued awareness of the risks is essential. Detailed information and analysis of the latest Remcos campaign can be found in Sentinelone’s report.

/Reports, release notes, official announcements.