UAC-0050 targeting European banks — RMS Malware & Social Engineering
Just caught the latest report on UAC-0050 shifting focus. It looks like this Russia-aligned actor is moving beyond traditional targets in Ukraine and hitting a European financial institution. The TL;DR is they're using spoofed domains to deliver RMS malware (Remote Management System), likely for intel gathering or preparing for heists.
What's concerning is the reliance on social engineering masquerading as legitimate regional partners. The RMS payload is nasty because it provides full remote control, often bypassing standard heuristic detection since it's usually signed or obfuscated.
For those hunting in their environments, I'd recommend checking for anomalies in process lineage—specifically looking for Office apps spawning obscure child processes. If you have EDR, hunt for unsigned binaries making network calls to non-standard ports.
Here is a quick PowerShell snippet to audit recent scheduled tasks often used for persistence by these types of malware:
Get-ScheduledTask | Where-Object {$_.State -eq 'Ready'} |
ForEach-Object {
$Action = $_.Actions.Execute
if ($Action -like '*AppData*' -or $Action -like '*Public*') {
Write-Host "Suspicious Task Found:" $_.TaskName
Write-Host "Action:" $Action
}
}
Are you guys seeing any specific spoofed domains hitting your inboxes yet, or is it still mostly targeted spear-phishing?
Good catch on the scheduled tasks. We've been seeing a similar trend with other actors abusing schtasks for persistence. I'd also recommend checking your firewall logs for long-lived connections on uncommon high ports (above 1024) that don't match known application traffic patterns. RMS agents often try to blend in with legitimate RDP traffic but fail on the protocol analysis level.
We blocked macros organization-wide last year, which has stopped the initial infection vector for 99% of these emails. However, the spoofing is getting incredibly convincing. We've had to move to strict SPF/DKIM/DMARC enforcement (p=reject) just to stop the delivery of these phishing attempts. It was painful during the rollout, but it's saved us multiple times now.
From a pentester perspective, the RMS malware is often just a modified version of commercially available remote admin tools. If your AV is just checking signatures, it might miss it if they recompiled it. We recommend enabling AMSI (Antimalware Scan Interface) logging to catch the obfuscated PowerShell scripts usually used to download the second-stage payload.
Since Jay mentioned the recompiled tools, traditional signatures will fail. We've found that hunting for specific registry artifacts works well for RMS. The malware often leaves distinct keys in HKCU. You can run this PowerShell command on suspicious endpoints to quickly check for those artifacts without triggering a full AV scan:
Get-ChildItem 'HKCU:\Software' -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -like "*RMS*" }
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access