As a part of a new spear-phishing campaign that started on October 21, 2022, an unknown threat actor behind the RomCom Remote Access Trojan (RAT) has been observed targeting Ukrainian military institutions as well as American, Brazilian, and Pilipino IT companies, food brokers, and food manufacturing entities. In this campaign, the actor used a phishing email with an embedded link as the initial infection vector. This link then led to a fake website with the next stage downloader that was signed using a valid digital certificate from “Blythe Consulting sp. Z o. o.”. This downloader then extracted and ran the RomCom RAT, which can harvest information, capture screenshots, and exfiltrate data to a remote server.
Prior to this campaign, the actor was seen spoofing legitimate applications such as “Advanced IP Scanner” and “pdfFiller” and hosting them on malicious websites. These spoofed applications would then also go on to deploy the RomCom RAT. This marks a change in the actor’s tactics, switching from less targeted spoofed applications to a more targeted spear-phishing campaign. While there were not many similarities between the campaigns other than the use of the RomCom RAT, both campaigns were able to be attributed to the group as the “pdfFiller” application used the same signer as was seen in the most recent campaign.
Analyst Notes
Researchers at BlackBerry noted, “this campaign is a good example of the blurred line between cybercrime-motivated threat actors and targeted attack threat actors” and it highlights the difficulty of attribution in many campaigns. In the past, the activities of the two groups of threat actors had been largely independent, with targeted attack threat actors relying on custom tooling while cybercrime-motivated threat actors would typically rely on traditional tooling. However, as time goes on and traditional tools improve, more targeted attack threat actors are turning towards using traditional tools, likely to save time and money and evade attribution. With these actors turning to traditional tools, it is more difficult to attribute specific campaigns to specific threat actors.
It is generally not necessary for an organization to attribute a campaign to a specific threat actor. However, it does aid in threat hunting, as once a campaign is attributed to an actor a threat hunter can then begin to hunt for tactics used by that specific actor in the past to improve their investigation. With attribution becoming more difficult, the need for a defense in depth security posture to ensure that all known tactics and techniques will be detected and alerted on becomes more important.
https://thehackernews.com/2022/10/romcom-hackers-circulating-malicious.html
