![]() If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics. He was the first one who used the malware, that at that point was unknown, with features like ICMP-based communications, commands for file manipulation, process hatching and spoofing, data exfiltration, and activating a reverse shellīut the BlackBerry team said that there was no evidence for that assumption, and its report mentions Cuba Ransomware and Industrial Spy as possibly related to RomCom RAT. Unit 42 forwarded the theory that Tropical Scorpius, an affiliate of the Cuba Ransomware, was responsible for it. It is still unclear who is behind RomCom RAT or what are the motives behind the attacks. After downloading the archive, the user is required to run Setup.exe manually. Through the clone of the KeePass website, hackers are distributing an archive named “KeePass-2.52.zip” containing multiple files like “hlpr.dat”, RomCom RAT dropper, and “setup.exe”, to launch the dropper. “The website that impersonates SolarWinds NPM delivers a trojanized version of the free trial and even links to an actual SolarWinds registration form that, if filled out by the victim, leads to being contacted by a real customer support agent”, according to BleepingComputer.īut the app downloaded from this site has been altered to include a malicious DLL that downloads and runs a copy of the RomCom RAT ( remote access trojan) from a folder called “C:\Users\user\AppData\Local\Temp\winver.dll”.īlackBerry researchers show that the downloaded executable (“Solarwinds-Orion-NPM-Eval.exe”) is signed with “Wechapaisch Consulting
0 Comments
Leave a Reply. |