The Ukrainian authorities have posted data warning of a new ransomware marketing campaign in opposition to companies in the war-torn region.
In a brief observe, the Ukrainian CERT mentioned it had learned phishing e-mail spoofed to surface as if sent from the “Press Company of the Typical Team of the Armed Forces of Ukraine.”
If recipients drop for the rip-off and simply click on the link contained in the email, they’ll be taken to a web page and urged to down load a new version of PDF Reader. Undertaking so will induce a malicious executable, the CERT-UA warned.
“Running the mentioned file will, as a consequence, decode and operate the ‘rmtpak.dll’ file. The latter is labeled as a RomCom malware,” it described.
RomCom was 1st uncovered by Palo Alto Networks again in August.
It joined the remote accessibility Trojan (RAT) to a new Cuba ransomware affiliate dubbed “Tropical Scorpius,” noting that the malware enables menace actors to complete a variety of publish-intrusion features like data exfiltration.
The affiliate seems to have been a key driver of Cuba ransomware bacterial infections, accounting for approximately fifty percent of the victims uncovered on the group’s leak web site in between 2019 and summer season 2022.
“As of July 2022, Tropical Scorpius has utilized Cuba ransomware to influence 27 supplemental organizations across various vectors, these as skilled and lawful services, state and regional authorities, production, transportation and logistics, wholesale and retail, actual estate, economical products and services, health care, superior technology, utilities and strength, building, and education and learning,” Palo Alto claimed at the time.
That would appear to recommend that the recent marketing campaign in Ukraine is generally economically determined, alternatively than coordinated with Russian point out targets in mind.
“Considering the use of the RomCom backdoor, as properly as other features of the similar data files, we think it is feasible to affiliate the detected action with the activity of the group Tropical Scorpius aka UNC2596, which is accountable for the distribution of Cuba ransomware,” CERT-UA confirmed.
A Cuba ransomware attack on the small Balkan place of Montenegro at the stop of August was in the beginning blamed by its govt on the Kremlin. Nonetheless, the NATO member subsequently appeared to row back from those people statements.
Some pieces of this report are sourced from: