RomCom backdoor

Updated on 2022-11-04

BlackBerry’s security team has a technical report on a suspected nation-state operation that appears to be using a backdoor typically employed by the cybercrime ecosystem to go after targets in Ukraine and the United Kingdom. This campaign, first spotted by CERT-Ukraine, is using cloned websites for popular enterprise software tools like SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro, to host boobytrapped versions of the respective tools, backdoored with a version of the RomCom RAT. Read more:

“Given the geography of the targets and the current geopolitical situation, it’s unlikely that the RomCom RAT threat actor is cybercrime-motivated.”

Think of the malware here as a service being provided to various parties doing their own phishing. https://t.co/YeFcHp8Eih

— Tyler McLellan (@tylabs) October 23, 2022

Overview: RomCom backdoor

CERT-UA says they saw a spear-phishing campaign targeting Ukrainian organizations last week, distributing a version of the RomCom backdoor malware. Authorities said they believe a threat actor named UNC2596 (Tropical Scorpius) is behind the attacks. This is the same group believed to operate the Cuba ransomware. BlackBerry’s security team also has an in-depth look at the technical side of this campaign, although they have not linked it to Cuba ransomware operators. Read more:

Unattributed #RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries #Ukraine https://t.co/GE2WycYxC9

— Dmitry Bestuzhev (@dimitribest) October 23, 2022

Think of the malware here as a service being provided to various parties doing their own phishing. https://t.co/YeFcHp8Eih

— Tyler McLellan (@tylabs) October 23, 2022

Updated on 2022-11-04

Overview: RomCom backdoor

It looks like you are using an adblocker.