The operators of RomCom RAT are continuing to evolve their campaigns with rogue variations of software these types of as SolarWinds Network Efficiency Observe, KeePass password supervisor, and PDF Reader Pro.
Targets of the operation consist of victims in Ukraine and choose English-speaking nations around the world like the U.K.
“Provided the geography of the targets and the existing geopolitical situation, it can be not likely that the RomCom RAT threat actor is cybercrime-determined,” the BlackBerry Threat Exploration and Intelligence Staff claimed in a new assessment.
The newest conclusions occur a week soon after the Canadian cybersecurity corporation disclosed a spear-phishing marketing campaign aimed at Ukrainian entities to deploy a remote access trojan named RomCom RAT.
The unknown threat actor has also been observed leveraging trojanized variants of Highly developed IP Scanner and pdfFiller as droppers to distribute the implant.
The most up-to-date iteration of the campaign entails placing up decoy lookalike web-sites with a very similar area name, followed by uploading a malware-laced installer bundle of the destructive software package, and then sending phishing emails to targeted victims.
Phony Keypass internet sitePretend SolarWinds web site
“Whilst downloading a no cost demo from the spoofed SolarWinds web-site, a respectable registration kind appears,” the researchers discussed.
“If crammed out, real SolarWinds revenue personnel may well make contact with the sufferer to follow up on the product demo. That strategy misleads the target into believing that the a short while ago downloaded and put in software is absolutely genuine.”
It can be not just SolarWinds software package. Other impersonated variations contain the preferred password supervisor KeePass and PDF Reader Pro, which includes in the Ukrainian language.
The use of RomCom RAT has also been connected to danger actors associated with the Cuba ransomware and Industrial Spy, in accordance to Palo Alto Networks Device 42, which is tracking the ransomware group beneath the constellation-themed moniker Tropical Scorpius.
Presented the interconnected character of the cybercriminal ecosystem, it truly is not right away obvious if the two sets of functions share any connections or if the malware is supplied for sale as a company to other threat actors.
Observed this write-up interesting? Observe THN on Fb, Twitter and LinkedIn to read much more exceptional content material we put up.
Some parts of this article are sourced from:
thehackernews.com