RomCom RAT operators have developed new capabilities to target Ukrainian military institutions. The group is known for deploying spoofed versions of legitimate applications to drop backdoors on compromised systems.
The initial campaign
The initial campaign, which was observed first on July 23 was using the Advanced IP Scanner application.
- At that time, the threat actors were using identical-looking domains to host the trojanized Advanced IP Scanner packages.
- The packages carried many files and malicious droppers working as next-stage downloaders for the final payload, RomCom RAT.
What's new?
According to BlackBerry researchers, RomCom operators have switched to an application website for PDF Filler to distribute trojanized packages in the latest campaign.
- The group is luring Ukrainian military institutions with a spoofed PDF Filler application website that contains malicious droppers. These droppers extract the RomCom RAT as a final payload from the resources.
- Analysis of metadata indicates that both droppers (hosted on the website) and the final RAT contained multiple variants of local Russian languages.
- One RomCom dropper file was found with a valid digital signature by Signer Blythe Consulting sp. z o.o, which is also used by the legitimate clean PDF Filler application.
- In addition, the group has upgraded evasion techniques with string obfuscation and execution as a COM object, among others.
On the target
In this campaign, RomCom threat actors are targeting prominent sectors such as IT, manufacturing, and retail in the U.S., Brazil, and the Philippines.
RomCom’s capabilities
The trojan appears to be under active development since April and is considered to be comparatively more capable than typical RATs.
- It gathers information about the system, locally installed applications, and memory processes.
- It takes screenshots and transmits the collected data to the C2 server and if commanded, it supports auto-deletion from the victim's machine as well.
The bottom line
RomCom RAT is just a few months old and has started targeting victims worldwide. It has efficiently switched from one legitimate and popular application to another to distribute malicious packages without raising much suspicion. All these tactics point out that the group is actively evolving, and can become a potential threat in the future.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f971_shutterstock_2149483327.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/fce9_shutterstock_1868295205.jpg)
