![]() The initial infection vector is an email with an embedded link leading to a fake website dropping the next stage downloader”, BlackBerry Research and Intelligence team “The threat actor behind the RomCom RAT targeted the military institutions of Ukraine. If a special command is received, it supports auto-deletion from the victim’s machine. It also takes screenshots and transmits collected data to the hardcoded command-and-control (C2). RomCom gathers system information (disk and files information enumeration), and information about locally installed applications and memory processes. Once unpacked, it holds 27 files, of which four are malicious droppers. ![]() Researchers say the threat actor spoofed the legitimate tools named “Advanced_IP_Scanner_.1.exe” by adding a single letter “V” to the file’s name. The BlackBerry Research and Intelligence team has identified two versions of it, “Advanced_IP_Scanner_V.1.zip” and “advancedipscanner.msi.” Fake “Advanced IP Scanner” website Legitimate “Advanced IP Scanner” website The threat actor spoofed the “pdfFiller” website, dropping a Trojanized version with RomCom RAT as the final payload. Particularly, these domains resolved to the same IP address of 16771175165.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |