The operators of RomCom RAT are continuing to evolve their campaigns with rogue versions of program these kinds of as SolarWinds Network Performance Keep track of, KeePass password manager, and PDF Reader Pro.
Targets of the procedure consist of victims in Ukraine and pick out English-speaking nations around the world like the U.K.
“Presented the geography of the targets and the present geopolitical condition, it is really not likely that the RomCom RAT danger actor is cybercrime-inspired,” the BlackBerry Threat Investigation and Intelligence Group claimed in a new analysis.
The most up-to-date conclusions come a 7 days right after the Canadian cybersecurity company disclosed a spear-phishing marketing campaign aimed at Ukrainian entities to deploy a remote accessibility trojan called RomCom RAT.
The unknown risk actor has also been observed leveraging trojanized variants of Highly developed IP Scanner and pdfFiller as droppers to distribute the implant.
The most recent iteration of the campaign entails placing up decoy lookalike websites with a very similar area identify, adopted by uploading a malware-laced installer bundle of the malicious program, and then sending phishing e-mails to specific victims.
Bogus Keypass websiteFake SolarWinds site
“Though downloading a cost-free demo from the spoofed SolarWinds web page, a legitimate registration variety appears,” the researchers spelled out.
“If filled out, real SolarWinds profits personnel could make contact with the victim to observe up on the merchandise demo. That method misleads the target into believing that the lately downloaded and mounted application is fully respectable.”
It is really not just SolarWinds software. Other impersonated versions require the well-known password supervisor KeePass and PDF Reader Pro, together with in the Ukrainian language.
The use of RomCom RAT has also been joined to danger actors connected with the Cuba ransomware and Industrial Spy, according to Palo Alto Networks Unit 42, which is tracking the ransomware group below the constellation-themed moniker Tropical Scorpius.
Provided the interconnected nature of the cybercriminal ecosystem, it can be not straight away obvious if the two sets of pursuits share any connections or if the malware is available for sale as a service to other threat actors.
Discovered this short article intriguing? Comply with THN on Facebook, Twitter and LinkedIn to examine more unique information we publish.
Some areas of this posting are sourced from: