The Computer Emergency Response Team of Ukraine (CERT-UA) warns of possible attacks by Cuba operators on Ukrainian critical infrastructure. On October 21, 2022, CERT-UA uncovered a phishing campaign during which attackers in emails pretended to be the press service of the General Staff of the Armed Forces of Ukraine. The phishing emails contained a link to a website that automatically started downloading a document called "Nakaz_309.pdf".
This website has been designed in such a way as to force the reader to update the software (PDF Reader). And if the victim clicks on the “DOWNLOAD” button, then an exe file will be downloaded to their computer under the name "AcroRdrDCx642200120169_uk_UA.exe".
Running the executable will decode and run the "rmtpak.dll" DLL, which is a Remote Access Trojan (RAT) called ROMCOM. This malware communicates with C&C servers through ICMP requests made through Windows API functions. In addition, ROMCOM RAT supports ten basic commands:
- Get information about the connected disk;
- Get lists of files for the specified directory;
- Run the reverse shell svchelper.exe in the %ProgramData% folder;
- Upload data to the management server as a ZIP file using IShellDispatch to copy files;
- Download data and write to worker.txt in the %ProgramData% folder;
- Delete the specified file;
- Delete the specified directory;
- Create a process with PID spoofing;
- Process only the ServiceMain received from the management server and "sleep" for 120,000 ms;
- Traverse running processes and collect their IDs.
Recall that earlier this remote access Trojan was used by Tropical Scorpius (aka UNC2596), tracked by CERT-UA under the identifier UAC-0132 and distributing malware from Cuba.
The CERT-UA warning said: “Given the use of the RomCom backdoor, as well as other features of the associated files, we believe it is possible to connect the detected activity with the activity of the Tropical Scorpius (aka UNC2596) group, which is responsible for distributing ransomware from Cuba.”
Comments 0