Military institutions in Ukraine have recently been targeted by a new campaign launched by the RomCom RAT operators, involving the use of spoofed domains that host trojanised Advanced IP Scanner packages.
First observed in July, the campaign was said to carry the trojanised application’s packages, which also contained numerous files and malicious droppers that would download the final payload to the victim’s computer, which is the RomCom RAT.
Aside from the Advanced IP Scanner app, the threat group also leveraged another application called PDF Filler to distribute the RomCom RAT.
Based on recent investigations, Ukraine’s armies are also lured with a spoofed website of the PDF Filler app, where the threat actors have injected malicious droppers. The RomCom RAT will also be released on the victims’ computers once the fake application is run.
The researchers also noted that the droppers and the final RAT payload hold multiple variants of Russian languages, indicating that a Russian-based threat group might be behind the attacks. Additionally, the hackers employed enhanced security evasion tactics to hide their malicious activities.
Other countries are also targets of this latest campaign, including the US, the Philippines, and Brazil.
According to the analysis of the RAT, RomCom has been under active development since last April. It is also deemed one of the most effective RATs compared to other known ones.
Some of the RomCom RAT’s capabilities include gathering the victim’s system information, locally installed apps, and memory processes. Moreover, the RAT can take screenshots and transmit all collected data to the threat actors’ remote C2 server. RomCom can also auto-delete itself in the machine upon command.
Security experts underline that while the RomCom RAT is only a few months old in the cybercriminal landscape, it is already capable of infecting victims effectively. It must also be considered how its operators have avoided suspicions despite switching from one popular application to another, aiming to deliver malicious packages.
Thus, users are advised to be cautious about which software and applications they download on their machines, as some have been injected with malware.
