Wednesday, 31 May 2023 16:08

Cuba Ransomware Group Linked RomCom Being Spread Through Ads for Real and Fake Software

Written by

Reading time is around minutes.

The RomCom backdoor malware appears to have a new campaign running. The new campaign is using impersonation attacks for different software packages (some real, some not). The goal is to trick the unwary into downloading, and hopefully launching malicious payloads. This type of campaign leverages ad services like Google Ads as a “trusted” platform using ads for software that is either often sought after or currently very popular, like ChatGPT, PDF readers, Remote Management software, etc. They are also, at times, leveraged as links in targeted or blanket phishing and social engineering attacks to get the malware on the targeted systems.

RomCom has been on the radar of security researchers and companies since first being discovered by Palto Alto in August of 2022. Since then, the malware has been seen used in targeted attacks against targets in the Ukraine as well as in the US, Brazil, and the Philippines. Many of these detected instances were also using impersonated legitimate software. Palo Alto, Blackberry, and TrendMicro all seem to agree with linking RomCom to a Cuba Ransomware affiliate though they differ on the names they track them under.

The name RomCom, take a bit of a detour here, always makes me chuckle. If you think about the names of some of the malware from the past there is always a link to the name and something that was happening when researchers were digging into it. When the Code Red malware was being investigated the team working on it was drinking a lot of Mountain Dew Code Red… what was going on with the team working on this malware to come up with the name RomCom considering that RomCom is an often-used abbreviation for Romantic Comedy?

Back to the conversation about the malware at hand, the latest Campaign includes a number of impersonation domains that are used to trick a user into downloading a malicious package. These include sites like glimp[.]com, gotomeet[.]us, chatgpt4beta[.]com, and more. Out of the ten domains identified by TrendMicro four are still online as of the time of this writing: chatgpt4beta[.]com, devolutionrdp[.]com, devolrdm[.]com, and dirwinstat[.]com.

All the sites are/were being pushed via Google Ads or through phishing emails. The links used go to an MIS installer (impersonating the intended software). The MIS package includes a malicious DLL as part of the attack chain. In turn the poisoned DLL unpacks three additional dlls that handle other functions for the malware including C2 communication and command execution on the infected device. TrendMicro also states that this latest episode of RomCom has an increased number of commands available in an already impressive list of commands (up from 20 to 42).

As you might expect, the new version of this malware also has improved evasion capabilities like encryption, obfuscation, and anti-VM components. Communication is enhanced with null bytes to avoid detection by many network monitoring tools along with being signed by legitimate code signing certificates. The companies attached to these do not seem to exist, but the certificates all appear above board and do not seem to have been stollen from another company.

Backdoor software like RomCom is always a danger, but to see one that shows up on the scene and then evolves as quickly as this one has does seem to indicate that a sophisticated group is behind its evolution. The write up from TrendMicro on this latest strain contains good information on the logic behind how this malware works even if there is little to understand the group behind it. Thankfully it does include a list of IOC that you can use to protect against this threat (at least this version).

Read 489 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.