Security News > 2023 > May > RomCom RAT Using Deceptive Web of Rogue Software Sites for Covert Attacks

The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets.

The remote access trojan has since been used heavily in attacks targeting Ukrainian state bodies and military systems via spoofed versions of legitimate software.

Void Rabisu has also been observed abusing Google Ads to trick users into visiting the lure sites as part of narrowly targeted attacks, making it the latest addition in a long list of threat actors finding fresh avenues for gaining initial access into victims' systems.

"RomCom used spear-phishing against a member of a European parliament in March 2022, but targeted a European defense company in October 2022 with a Google Ads advertisement that led to an intermediary landing site that would redirect to a RomCom lure site," Trend Micro said.

Another notable aspect of the attacks is the use of certificates to lend credibility to the malicious software installers, with samples signed by seemingly innocuous companies based in the U.S. and Canada.

"Since the rise of Ransomware-as-a-Service, cybercriminals are not using advanced tactics and targeted attacks that were previously thought to be the domain of APT actors. Inversely, tactics and techniques that were previously used by financially motivated actors are increasingly being used in attacks with geopolitical goals."

News URL

https://thehackernews.com/2023/05/romcom-rat-using-deceptive-web-of-rogue.html