The menace actor behind a distant entry trojan known as RomCom RAT has been noticed concentrating on Ukrainian navy establishments as a part of a brand new spear-phishing marketing campaign that commenced on October 21, 2022.
The event marks a shift within the attacker’s modus operandi, which has been beforehand attributed to spoofing legit apps like Superior IP Scanner and pdfFiller to drop backdoors on compromised programs.
“The preliminary ‘Superior IP Scanner’ marketing campaign occurred on July 23, 2022,” the BlackBerry analysis and intelligence crew stated. “As soon as the sufferer installs a Trojanized bundle, it drops RomCom RAT to the system.”
Whereas earlier iterations of the marketing campaign concerned using trojanized Superior IP Scanner, the unidentified adversarial collective has since switched to pdfFiller as of October 20, indicating an lively try on a part of the adversary to refine techniques and thwart detection.
These lookalike web sites host a rogue installer package deal that leads to the deployment of the RomCom RAT, which is able to harvesting data and capturing screenshots, all of which is exported to a distant server.
The adversary’s newest exercise directed in opposition to the Ukrainian navy is a departure in that it employs a phishing electronic mail with an embedded hyperlink as an preliminary an infection vector, resulting in a faux web site dropping the subsequent stage downloader.
This downloader, signed utilizing a legitimate digital certificates from “Blythe Consulting sp. z o.o.” for an additional layer of evasion, is then used to extract and run the RomCom RAT malware. BlackBerry stated the identical signer is utilized by the legit model of pdfFiller.
In addition to the Ukrainian navy, different targets of the marketing campaign embrace IT firms, meals brokers, and meals manufacturing entities within the U.S., Brazil, and the Philippines.
“This marketing campaign is an effective instance of the blurred line between cybercrime-motivated menace actors and focused assault menace actors,” Dmitry Bestuzhev, menace researcher at BlackBerry, instructed The Hacker Information.
“Previously, each teams acted independently, counting on totally different tooling. Right now, focused assault menace actors rely extra on conventional tooling, making attribution more durable.”
