threat actors behind RAT romantic comedy has been intruding on targets since at least July 2022 with a network of fake websites promoting illegal versions of popular software.
Cybersecurity firm Trend Micro tracks this cluster of activity under the name Void Rabisu. This cluster is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant).
Security researchers Fake Huckbold, Stephen Hirt, Fernando Marces and Sir Alfred Lemorin said, “These decoy sites are likely only aimed at a small number of targets, making discovery and analysis difficult. It’s getting more difficult,” he said.
Fake apps that have been spotted so far include AstraChat, Devolutions’ remote desktop manager, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat.
RomCom RAT was first documented by Palo Alto Networks Unit 42 in August 2022 and was associated with a financially motivated group deploying Cuban ransomware (aka COLDDRAW). It is worth noting that there is no evidence to suggest that the ransomware gang has any connection or relationship with the Republic of Cuba.
Since then, this remote access Trojan has been frequently used in attacks against Ukrainian state institutions and military systems via spoofed versions of legitimate software. Other isolated targets are in the Americas and Asia.
Void Rabisu has also been observed to abuse Google Ads to trick users into visiting decoy sites as part of targeted attacks, providing a new means of gaining initial access to a victim’s system. A new addition to the long list of threat actors finding
“RomCom used spear phishing against MEPs in March 2022, but in October 2022, they targeted European defense companies with Google Ads ads, luring them to intermediate landing sites. and redirected to RomCom’s lure site,” Trend Micro said.
This indicates that adversaries are mixing their targeting techniques to encompass tactics relevant to both cybercriminals and nation-state groups.
The change in the use of RomCom RAT as a backdoor for targeted intrusions is complemented by significant improvements to the malware that scale the number of commands supported from 20 to 49, allowing complete control over compromised hosts. became.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
This includes the ability to download additional payloads to take screenshots, retrieve cryptocurrency wallet data, siphon chat messages and FTP credentials, and use a browser password stealer called StealDeal.
Another notable aspect of this attack is the use of certificates to give trust to malicious software installers. The samples were signed by seemingly harmless companies based in the United States and Canada.
“The line between cybercrime aimed at financial gain and APT attacks aimed at geopolitics, espionage, chaos and warfare is blurring,” the researchers said.
“Since the rise of Ransomware-as-a-Service (RaaS), cybercriminals have moved away from the sophisticated tactics and targeted attacks previously thought to be the domain of APT attackers. Conversely, tactics and techniques previously used by financially motivated attackers are increasingly being used for geopolitical purposes.”
