Threats behind RAT RomCom leverages a network of fake websites advertising rogue versions of popular software since at least July 2022 to infiltrate targets.
Cybersecurity firm Trend Micro is tracking activity clusters under the name Void Rabisu, also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant).
“These decoy sites were likely intended for only a small number of targets, making discovery and analysis more difficult,” security researchers Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin said.
Some of the fake apps seen so far include AstraChat, Remote Desktop Manager Devolutions, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat.
The RomCom RAT was first noted by Palo Alto Networks Unit 42 in August 2022, attributing it to the financially motivated group spreading Cuba Ransomware (aka COLDDRAW). It should be noted that there is no evidence to suggest that the ransomware gang has any connection or affiliation with the Republic of Cuba.
Remote access Trojans have since been widely used in attacks targeting Ukrainian state agencies and military systems via bogus versions of legitimate software. Other isolated targets have been located in the Americas and Asia.
Void Rabisu was also observed abusing Google Ads to trick users into visiting a rogue site as part of a narrowly targeted attack, making it the latest addition in a long list of threat actors finding new avenues to gain early access to victim systems.
“RomCom used spear-phishing against European lawmakers in March 2022, but targeted European defense companies in October 2022 with Google Ads ads leading to intermediate landing sites that would redirect to the RomCom lure site,” Trend Micro said.
This suggests that Adversary is blending its targeting methodology to include tactics linked to cybercriminals and nation-state groups.
The shift in the use of the RomCom RAT as a backdoor for targeted intrusions has been complemented by a significant upgrade to the malware increasing the number of commands supported from 20 to 49, enabling it to exert total control over the compromised host.
🔐 Mastering API Security: Understanding Your True Attack Surface
Find untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
It also includes the ability to download additional payloads to take screenshots, retrieve crypto wallet data, siphon chat messages and FTP credentials, and use a browser password stealer dubbed StealDeal.
Another important aspect of the attack was the use of certificates to give credibility to installers of malicious software, with samples signed by apparently harmless companies based in the US and Canada.
“The lines are blurring between cybercrime driven by financial gain and APT attacks motivated by geopolitics, espionage, disruption and warfare,” the researchers said.
“Since the emergence of Ransomware-as-a-Service (RaaS), cybercriminals have avoided using the sophisticated tactics and targeted attacks that were previously considered the domain of APT actors. Instead, tactics and techniques previously used by financially motivated actors are increasingly being used in attacks with geopolitical goals.”