The risk actor behind a distant entry trojan, ‘RomCom RAT’ is now concentrating on Ukrainian navy establishments. The risk actors are recognized to spoof official apps like ‘Superior IP Scanner’ and ‘PDF Filler’ to drop backdoors on compromised methods.
Reviews say the “Superior IP Scanner” marketing campaign occurred on July 23, 2022. When the sufferer installs a Trojanized bundle, it drops RomCom RAT into the system.
Later, the improved evasion methods by obfuscation of all strings, and execution as a COM object, occurred on October 10, 2022,
RomCom RAT Distributed as Spoofed Variations
Beforehand, RomCom RAT was distributed by way of pretend web sites spoofing the official “Superior IP Scanner” utility web site. The Trojanized “Superior IP Scanner” bundle was hosted on “advanced-ip-scaner[.]com” and “advanced-ip-scanners[.]com” domains.
Notably, these domains resolved to the identical IP handle of 167[.]71[.]175[.]165. The risk actor spoofed the “pdfFiller” web site, dropping a Trojanized model with RomCom RAT as the ultimate payload.
The BlackBerry Analysis and Intelligence group has identified two variations of it, “Advanced_IP_Scanner_V2.5.4594.1.zip” and “advancedipscanner.msi.”
Researchers say the risk actor spoofed the official instruments named “Advanced_IP_Scanner_2.5.4594.1.exe” by including a single letter “V” to the file’s identify. As soon as unpacked, it holds 27 recordsdata, of which 4 are malicious droppers.
RomCom gathers system info (disk and recordsdata info enumeration), and details about regionally put in purposes and reminiscence processes. It additionally takes screenshots and transmits collected information to the hardcoded command-and-control (C2). If a particular command is obtained, it helps auto-deletion from the sufferer’s machine.
“The risk actor behind the RomCom RAT focused the navy establishments of Ukraine. The preliminary an infection vector is an e-mail with an embedded hyperlink resulting in a pretend web site dropping the subsequent stage downloader”, BlackBerry Analysis and Intelligence group
The unique hyperlink leads with a lure within the Ukrainian language spoofing the unique Ministry of Protection of Ukraine Web site
Last Phrase
Due to this fact, the RomCom RAT risk actor is actively growing new methods concentrating on victims worldwide. It’s extremely doable to anticipate new risk actor campaigns.
Researchers additionally discovered the RomCom risk actor concentrating on IT firms, meals brokers, and meals manufacturing within the U.S., Brazil, and the Philippines.
Additionally Learn: Obtain Safe Net Filtering – Free E-book