SoylentNews is people
SoylentNews
This RomCom is no laughing matter:
A change in the deployment of the RomCom malware strain has illustrated the blurring distinction between cyberattacks motivated by money and those fueled by geopolitics, in this case Russia's illegal invasion of Ukraine, according to Trend Micro analysts.
The infosec vendor pointed out that RomCom's operators, threat group Void Rabisu, also has links to the notorious Cuba ransomware, and therefore assessed it was assumed to be a financially driven criminal organization.
But in a report published this week, the researchers wrote that Void Rabisu used RomCom against the Ukraine government and military as well as water, energy, and financial entities in the country.
Outside of Ukraine, targets included a local government group helping Ukrainian refugees, a defense company in Europe, IT service providers in the US and the EU, and a bank in South America. There also were campaigns against people attending various events including the Masters of Digital and Munich Security conferences.
The usage pattern seems to have started shifting last autumn.
One campaign inside of Ukraine used a fraudulent version of the Ukrainian army's DELTA situational awareness website to lure victims into downloading RomCom through improperly patched browsers.
"Normally, this kind of brazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators clearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were typically associated with cybercrime," Trend's researchers wrote.
The firm has been tracking Void Rabisu since mid-2022 and believes the gang has added evasion techniques to make it more difficult for security tools to detect the malware. The gang has also used fake websites that appear to promote real or fake software – including ChatGPT, Go To Meeting, AstraChat, KeePass, and Veeam – to entice victims into downloading malicious code.
The attackers push the fake sites through targeted phishing emails and Google Ads.
With the combination of RomCom targets seen by Trend Micro, the Ukrainian Computer Emergency Response Team (CERT-UA), and Google, "a clear picture emerges of the RomCom backdoor's targets: select Ukrainian targets and allies of Ukraine," the researchers wrote.
The report details a February 2023 campaign against targets in Eastern Europe during which miscreants embedded the latest version of RomCom – 3.0 – in an installation package of the AstraChat instant messaging software.
While RomCom receives upgrades, its modular architecture remains. Three components - a loader, a network component to communicate with the command-and-control (C2) server, and a worker component that runs the actions on the victim's system - do its dirty work.
[...] "We expect that significant geopolitical events like the current war against Ukraine will accelerate the alignment of the campaigns of threat actors who reside in the same geographic region," the researchers wrote. "This will lead to new challenges for defenders, as attacks can then come from many different angles, and it will be less clear who is the actor responsible for them."
(Score: 3, Informative) by legont on Monday June 05, @04:47AM (1 child)
Yes indeed. On a related note, American antitank missiles destined for Ukraine already found their way to Mexican drug gangs. One could blame Ukrainians or even Russians, but I doubt the toys ever left our side of the pond.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 1) by khallow on Tuesday June 06, @04:03AM
Looks only to be truish [apnews.com].
Wikipedia notes [wikipedia.org] that the AT4 is used not only by the US and Mexican cartels in North America, but also by Argentina, Brazil, Colombia, Dominican Republic, and Venezuela.