admin The risk actor behind a distant entry trojan known as RomCom RAT has been noticed concentrating on Ukrainian navy establishments as a part of a brand new spear-phishing marketing campaign that commenced on October 21, 2022.
The event marks a shift within the attacker’s modus operandi, which has been beforehand attributed to spoofing reliable apps like Superior IP Scanner and pdfFiller to drop backdoors on compromised methods.
“The preliminary ‘Superior IP Scanner’ marketing campaign occurred on July 23, 2022,” the BlackBerry analysis and intelligence workforce said. “As soon as the sufferer installs a Trojanized bundle, it drops RomCom RAT to the system.”
Whereas earlier iterations of the marketing campaign concerned the usage of trojanized Superior IP Scanner, the unidentified adversarial collective has since switched to pdfFiller as of October 20, indicating an lively try on a part of the adversary to refine techniques and thwart detection.
These lookalike web sites host a rogue installer package deal that ends in the deployment of the RomCom RAT, which is able to harvesting data and capturing screenshots, all of which is exported to a distant server.
The adversary’s newest exercise directed in opposition to the Ukrainian navy is a departure in that it employs a phishing electronic mail with an embedded hyperlink as an preliminary an infection vector, resulting in a pretend web site dropping the subsequent stage downloader.
This downloader, signed utilizing a valid digital certificate from “Blythe Consulting sp. z o.o.” for an additional layer of evasion, is then used to extract and run the RomCom RAT malware. BlackBerry mentioned the identical signer is utilized by the reliable model of pdfFiller.
Apart from the Ukrainian navy, different targets of the marketing campaign embody IT firms, meals brokers, and meals manufacturing entities within the U.S., Brazil, and the Philippines.
“This marketing campaign is an effective instance of the blurred line between cybercrime-motivated risk actors and focused assault risk actors,” Dmitry Bestuzhev, risk researcher at BlackBerry, informed The Hacker Information.
“Previously, each teams acted independently, counting on totally different tooling. At this time, focused assault risk actors rely extra on conventional tooling, making attribution more durable.”
