The threat actor known as RomCom has returned to the scene, targeting Ukrainian politicians and a healthcare organization in the United States involved with aiding refugees fleeing the war-torn country.
The deployment of this attack is through a trojanized version of Devolutions Remote Desktop Manager, which victims were likely encouraged to download after being directed to a cloned website through phishing tactics.
The threat group used a form of 注册近似域名 to create a striking resemblance to the authentic site, according to the report from the BlackBerry Threat Research and Intelligence team.
By creating fake websites that closely resemble the legitimate software sites, RomCom can distribute malicious payloads to unsuspecting victims who download and install the compromised software, thinking it’s legitimate.
The trojanized installer begins installing malware after the user is prompted to select the destination path where they’d like the files to be installed. It then begins systematically collecting essential host and user metadata from the infected system, which is subsequently transmitted to its command-and-control (C2) server.
A Cyberattack With Geopolitical Motivations
The campaign strongly suggests that the motivation of this threat actor is not money, but rather a geopolitical agenda that is guiding its attack strategy and targeting methods.
Recon on what software targets use in order to deliver fake update notifications was part of the process, according to Dmitry Bestuzhev, senior director, CTI, BlackBerry. “In other words, the threat actor behind RomCom RAT relies on previous information about each victim, such as what software they use, how they use it, and the social or political programs they’re working on.”
The endgame is the exfiltration of sensitive information. “We saw RomCom targeting military secrets, such as unit locations, defensive and offensive plans, arms, [and] military training programs,” Bestuzhev notes.
He says with the US-based healthcare providing aid to the refugees from Ukraine, the targeted information included how that program works to determine who the refugees are — that includes the refugees’ personal information, which can be used for further attacks.
A RomCom You Haven’t Seen Before
上一页 RomCom campaigns against the Ukraine military used fake Advanced IP Scanner software to deliver malware, and the group has also targeted English-speaking countries — especially the UK — with trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro.
Callie Guenther, cyber threat research senior manager at Critical Start, explains that in the most recent campaigns, along with using different software, RomCom also adapted its C2 infrastructure to blend in with legitimate network traffic.
“This could involve using communication protocols commonly associated with political campaigns or healthcare organizations, making it more challenging to detect their malicious activities,” she says.
She adds that social media was an important part of the recent campaigns. “RomCom may employ phishing emails, spear-phishing, or other social engineering techniques tailored to the targeted individuals or organizations,” she explains.
For politicians, they could craft email messages impersonating political colleagues or officials, and in the case of the healthcare company, they might send emails posing as healthcare regulatory authorities or vendors of medical equipment or software.
Guenther says RomCom’s active development of new capabilities and techniques indicates a notable level of sophistication and adaptability.
“This suggests that their target selection may evolve as they refine their tactics and seek new opportunities for compromise,” she says.
How to Defend Against the RomCom APT
Mike Parkin, senior technical engineer at Vulcan Cyber, says the standard defense tactics apply here as they do with any attacker, regardless of whether they are cybercriminal or state sponsored.
“Keep patches up to date. Deploy following industry best practices and vendor ‘secure installation’ recommendations,” he says. “Make sure users are trained and cultivate a secure culture which makes them part of the solution rather than the most vulnerable part of the attack surface.”
Bestuzhev says the threat actor behind RomCom relies on social engineering and trust. So, employee training on how to spot spear phishing is also important.
“Secondly, it’s important to rely on a good cyber threat intelligence program providing contextual, anticipative, and actionable threat intelligence, such as behavior rules to detect RomCom’s ops in the systems, network traffic, and files,” he says. “With this context about RomCom, there is room for building an effective threat modeling based on the tactics, techniques, and procedures (TTP), and geopolitical developments.”
- SEO 支持的内容和 PR 分发。 今天得到放大。
- EVM财务。 去中心化金融的统一接口。 访问这里。
- 量子传媒集团。 IR/PR 放大。 访问这里。
- 柏拉图爱流。 Web3 数据智能。 知识放大。 访问这里。
- Sumber: https://www.darkreading.com/threat-intelligence/romcom-threat-actor-targets-ukrainian-politicians-us-healthcare
- :具有
- :是
- :不是
- :在哪里
- $UP
- 7
- a
- 关于
- 根据
- 要积极。
- 活动
- 添加
- 高级
- 后
- 驳
- 议程
- 援助
- 沿
- 还
- an
- 和
- 任何
- 使用
- 保健
- 武器
- AS
- 相关
- At
- 攻击
- 攻击
- 真实
- 当局
- 基于
- BE
- 背后
- 作为
- 最佳
- 最佳实践
- 混合
- 建筑物
- 但是
- 营销活动
- 活动
- CAN
- 能力
- 案件
- 挑战
- 密切
- 同事
- 收藏
- 常用
- 沟通
- 公司
- 妥协
- 妥协
- 上下文
- 上下文
- 可以
- 国家
- 国家
- 手艺
- 创建信息图
- 创造
- 危急
- 培育
- 文化塑造
- 网络
- 网络攻击
- 网络犯罪
- 日期
- 国防
- 防卫
- 交付
- 部署
- 部署
- 通过电脑捐款
- 目的地
- 确定
- 研发支持
- 发展
- 不同
- 副总经理
- 分发
- do
- 下载
- 每
- 有效
- 邮箱地址
- 电子邮件
- 员工
- 鼓励
- 工程师
- 工程师
- 设备
- 特别
- 必要
- 发展
- 渗出
- 介绍
- 假
- 档
- 以下
- 针对
- 申请
- 止
- 进一步
- 地缘政治
- 非常好
- 团队
- he
- 医疗保健
- 相关信息
- 主持人
- 创新中心
- How To
- HTTPS
- 重要
- in
- 其他
- 包括
- 包括
- 包含
- 表示
- 个人
- 行业中的应用:
- 信息
- 基础设施
- 安装
- 安装
- 安装
- 安装
- 房源搜索
- 涉及
- 参与
- IP
- IT
- 它的
- JPG
- 保持
- 已知
- 合法
- Level
- 喜欢
- 容易
- 地点
- 使
- 制作
- 制作
- 恶意软件
- 经理
- 可能..
- 媒体
- 医生
- 医用器材
- 条未读消息
- 元数据
- 方法
- 可能
- 军工
- 造型
- 钱
- 显示器
- 更多
- 最先进的
- 动机
- 网络
- 网络流量
- 全新
- 显着
- 通知
- of
- 进攻
- 官员
- on
- 开放源码
- 机会
- or
- 秩序
- 组织
- 组织
- 其他名称
- 部分
- 密码
- 密码管理器
- 补丁
- 径
- 性能
- 个人
- 钓鱼
- 计划
- 柏拉图
- 柏拉图数据智能
- 柏拉图数据
- 政治
- 政治家
- 热门
- 做法
- 以前
- 专业版
- 程序
- 过程
- 核心产品
- 曲目
- 训练课程
- 协议
- 优
- RAT
- 宁
- RE
- 读者
- 最近
- 建议
- 提炼
- 难民
- 而不管
- 监管
- 依靠
- 远程
- 研究
- Room
- 定位、竞价/采购和分析/优化数字媒体采购,但算法只不过是解决问题的操作和规则。
- s
- 锯
- 说
- 现场
- 安全
- 寻找
- 看到
- 选择
- 提交
- 前辈
- 敏感
- 她
- 网站
- 网站
- So
- 社会
- 社会工程学
- 社会化媒体
- 软件
- SolarWinds的
- 方案,
- 鱼叉式网络钓鱼
- 赞助商
- Spot
- 标准
- 开始
- 州/领地
- 州
- 策略
- 非常
- 后来
- 这样
- 提示
- 磁化面
- 系统
- 产品
- 策略
- 量身定制
- 目标
- 针对
- 瞄准
- 目标
- 团队
- 文案
- 技术
- 比
- 这
- 英国
- 其
- 他们
- 然后
- 那里。
- 他们
- 思维
- Free Introduction
- 威胁
- 通过
- 至
- 交通
- 熟练
- 产品培训
- 信任
- Uk
- 乌克兰
- 乌克兰语
- 单元
- 联合的
- 美国
- 更新
- us
- 使用
- 用过的
- 用户
- 用户
- 运用
- 供应商
- 厂商
- 版本
- 受害者
- 受害者
- 火神
- 脆弱
- 是
- we
- 您的网站
- 网站
- 为
- 什么是
- 是否
- 这
- WHO
- 话
- 加工
- 合作
- 完全
- 和风网