The danger actor recognised as RomCom has been weaponizing SolarWinds, KeePass and PDF Reader Pro cases in a sequence of new attack campaigns against targets in Ukraine and potentially the United Kingdom.
The discovery arrives from the BlackBerry Investigate & Intelligence Staff, who published an advisory about RomCom on Wednesday.
“While Ukraine however seems to be the key focus on of this marketing campaign, we consider some English-talking countries are currently being specific as well, like the United Kingdom,” reads the document.
“This is based on the conditions of company (TOS) of two of the malicious sites and the SSL certificates of a freshly designed command-and-management (C2).”
As for the attacks by themselves, BlackBerry has stated RomCom adopted a scheme that concerned the original scraping of the legitimate HTML code from the seller to spoof and the registration of a destructive area similar to the genuine 1.
The threat actor then trojanized the legitimate software, uploaded a destructive bundle to the decoy web site and deployed qualified phishing email messages to the victims (in some circumstances, making use of more an infection vectors).
“Our crew adopted the RomCom Netflows and uncovered both of those spoofed KeePass and PDF Reader Pro web-sites in the Ukrainian language,” reads the advisory. “The two of these spoofed internet websites host their terms of company web pages on the same URL and suggest the software suppliers are hosted by UK providers.”
According to BlackBerry, these methods are comparable to and may possibly suggest a relationship involving the RomCom gang and the Cuba ransomware and Industrial Spy groups.
“Industrial Spy is a reasonably new ransomware team that emerged in April 2022,” the security staff wrote. “Having said that, specified the targets’ geography and characteristics, blended with the recent geopolitical scenario, it’s unclear if the authentic motivation of the RomCom menace actor is purely cyber-legal in mother nature.”
A record of RomCom RAT Indicators of Compromise (IoCs) is out there in the original text of the BlackBerry advisory. Its publication comes days just after the malware was connected with modern strategies concentrating on companies in Ukraine.
Some parts of this post are sourced from: