The danger actor at the rear of a remote accessibility trojan identified as RomCom RAT has been noticed focusing on Ukrainian navy institutions as aspect of a new spear-phishing campaign that commenced on October 21, 2022.
The growth marks a shift in the attacker’s modus operandi, which has been formerly attributed to spoofing legit applications like Highly developed IP Scanner and pdfFiller to fall backdoors on compromised devices.
“The first ‘Advanced IP Scanner’ marketing campaign happened on July 23, 2022,” the BlackBerry investigation and intelligence workforce reported. “After the victim installs a Trojanized bundle, it drops RomCom RAT to the process.”
Whilst earlier iterations of the marketing campaign concerned the use of trojanized Innovative IP Scanner, the unknown adversarial collective has because switched to pdfFiller as of Oct 20, indicating an energetic endeavor on section of the adversary to refine methods and thwart detection.
These lookalike internet websites host a rogue installer offer that benefits in the deployment of the RomCom RAT, which is able of harvesting details and capturing screenshots, all of which is exported to a distant server.
The adversary’s newest action directed against the Ukrainian military services is a departure in that it employs a phishing email with an embedded backlink as an preliminary infection vector, main to a bogus web site dropping the future phase downloader.
This downloader, signed employing a valid electronic certificate from “Blythe Consulting sp. z o.o.” for an excess layer of evasion, is then used to extract and run the RomCom RAT malware. BlackBerry said the exact same signer is employed by the genuine edition of pdfFiller.
Apart from the Ukrainian armed service, other targets of the marketing campaign consist of IT corporations, food brokers, and food items manufacturing entities in the U.S., Brazil, and the Philippines.
“This campaign is a very good example of the blurred line in between cybercrime-motivated menace actors and qualified attack risk actors,” Dmitry Bestuzhev, danger researcher at BlackBerry, advised The Hacker Information.
“In the earlier, each groups acted independently, relying on different tooling. Currently, specific attack danger actors depend a lot more on traditional tooling, creating attribution more challenging.”
Found this post appealing? Comply with THN on Facebook, Twitter and LinkedIn to examine more exclusive material we publish.
Some parts of this article are sourced from:
thehackernews.com