The threat actor acknowledged as RomCom has been weaponizing SolarWinds, KeePass and PDF Reader Pro scenarios in a series of new attack campaigns in opposition to targets in Ukraine and likely the United Kingdom.
The discovery will come from the BlackBerry Analysis & Intelligence Workforce, who revealed an advisory about RomCom on Wednesday.
“When Ukraine nonetheless appears to be the key focus on of this campaign, we believe some English-speaking international locations are getting qualified as very well, such as the United Kingdom,” reads the document.
“This is based mostly on the phrases of service (TOS) of two of the malicious web-sites and the SSL certificates of a newly designed command-and-control (C2).”
As for the attacks them selves, BlackBerry has reported RomCom followed a plan that included the first scraping of the genuine HTML code from the seller to spoof and the registration of a malicious area comparable to the authentic 1.
The menace actor then trojanized the respectable software, uploaded a destructive bundle to the decoy website and deployed specific phishing e-mails to the victims (in some scenarios, applying extra infection vectors).
“Our crew followed the RomCom Netflows and uncovered each spoofed KeePass and PDF Reader Pro web pages in the Ukrainian language,” reads the advisory. “Both of those of these spoofed internet sites host their terms of service webpages on the exact URL and suggest the computer software providers are hosted by Uk businesses.”
According to BlackBerry, these strategies are identical to and may possibly suggest a link concerning the RomCom gang and the Cuba ransomware and Industrial Spy teams.
“Industrial Spy is a somewhat new ransomware group that emerged in April 2022,” the security crew wrote. “Having said that, presented the targets’ geography and properties, blended with the latest geopolitical situation, it’s unclear if the serious enthusiasm of the RomCom menace actor is purely cyber-felony in mother nature.”
A checklist of RomCom RAT Indicators of Compromise (IoCs) is accessible in the first textual content of the BlackBerry advisory. Its publication arrives times following the malware was affiliated with latest campaigns concentrating on companies in Ukraine.
Some parts of this article are sourced from:
www.infosecurity-magazine.com