On 02/21/2023, the Government Computer Emergency Response Team of Ukraine CERT-UA recorded the mass distribution of e-mails allegedly on behalf of the Pechersk District Court of the city of Kyiv with the subject "Pechersk District Court of the City of Kyiv" and an attachment in the form of a RAR archive "electronic court request no. 7836071.rar".

In this e-mail, the sender claims he or she is a judge of the Pechersk District Court of Kyiv and asks to open an attachment (electronic court request no. 7836071.rar) immediately to review its contents because it provides information about a court hearing taking place in Kyiv on this day, which will be attended by the recipient.

When opened, this RAR archive that is said to contain information about a court hearing begins automatically executing an executable file called Remcos.exe stored in its "experts" folder. The Remcos program copies itself and creates a new service with a name that resembles legitimate Cyberbit software, called "CbAvSrv32".

This service is intended to ensure that Remcos.exe runs automatically at each system start, even if the operating system is restarted. This is a typical feature of malware designed to ensure the program's persistence on infected computers and its ability to steal information from them.

‍

Source: Cyber attack of the group UAC-0050 using the Remcos program. - AlienVault - Open Threat Exchange