urlscan.io logo urlscan.io
SecurityTrails logo

blogs.blackberry.com Open in urlscan Pro
2600:9000:223d:b800:19:cd0a:2e00:93a1  Public Scan

Back to summary
Submitted URL: https://campaigns-events.eu-central-1.onpdr.com/track/link/l9ynowj4dn/0cdvxvad1lbad11fhktnxv6tx/m3597e5deq
Effective URL: https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries
Submission: On November 03 via api from PL — Scanned from DE

Form analysis 1 forms found in the DOM

<form id="search-form">
  <input id="search-form--input" description="Search" data-search-url="https://blogs.blackberry.com/en/search" type="text" placeholder="Search" name="search">
  <button type="submit">
    <svg aria-hidden="true" data-prefix="fa" data-icon="search" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" data-fa-i2svg="">
      <path fill="currentColor"
        d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
      </path>
    </svg>
  </button>
</form>

Text Content

Skip Navigation
BlackBerry Logo
 * Cybersecurity
 * Automotive & IOT
 * Critical Communications
 * Inside BlackBerry

 * ×
   

BlackBerry Blog
 1. BlackBerry Blog
 2. Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian
    Militaries


UNATTRIBUTED ROMCOM THREAT ACTOR SPOOFING POPULAR APPS NOW HITS UKRAINIAN
MILITARIES

CYBERSECURITY / 10.23.22 / The BlackBerry Research & Intelligence Team
 * Share on Twitter
 * Share on Facebook
 * Share on Linked In
 * Email




SUMMARY

The previously unknown RomCom RAT threat actor is now targeting Ukrainian
military institutions. The same threat actor is known to deploy spoofed versions
of popular software "Advanced IP Scanner." After being publicly exposed, it
switched to another popular application called "PDF Filler." That indicates the
group behind it is actively developing new capabilities.


CONTEXT


The initial "Advanced IP Scanner" campaign occurred on July 23, 2022. Once the
victim installs a Trojanized bundle, it drops RomCom RAT to the system. On
October 10, 2022, the threat actor improved evasion techniques by obfuscation of
all strings, execution as a COM object, and others.



ATTACK VECTOR


Earlier versions of RomCom RAT were distributed via fake websites spoofing the
legitimate "Advanced IP Scanner" application website. The Trojanized "Advanced
IP Scanner" package was hosted on "advanced-ip-scaner[.]com" and
"advanced-ip-scanners[.]com" domains. Both of those domains historically
resolved to the same IP address of 167[.]71[.]175[.]165. The threat actor also
ensured that both fake websites looked near identical to the original one -
"advanced-IP-scanner.com."


Figure 1 – Fake “Advanced IP Scanner” website
 

Figure 2 – Legitimate “Advanced IP Scanner” website
 

On October 20th, the threat actor deployed a new campaign spoofing the
"pdfFiller" website, dropping a Trojanized version with RomCom RAT as the final
payload.


WEAPONIZATION


The earliest versions of RomCom RAT came in the "Advanced IP Scanner" package.
The BlackBerry Research and Intelligence team has identified two versions of it
– "Advanced_IP_Scanner_V2.5.4594.1.zip" and "advancedipscanner.msi." The threat
actor spoofed the legitimate tools named "Advanced_IP_Scanner_2.5.4594.1.exe" by
adding a single letter "V" to the file's name.


Once unpacked, it contains 27 files, of which four are malicious droppers.


Figure 3 – Content of Trojanized "Advanced IP Scanner." RomCom RAT droppers are
highlighted
 

Dropper RomCom extracts the payload from its resources and creates it in the
following folder:

С:\Users\Username\AppData\Local\Temp\winver.dll

Main RomCom functionalities include, but are not limited to, gathering system
information (disk and files information enumeration), and information about
locally installed applications and memory processes. It also takes screenshots
and transmits collected data to the hardcoded command-and-control (C2). If a
special command is received, it supports auto-deletion from the victim's
machine.


The latest version of RomCom RAT has been bundled in the "PDFFiller.zip"
package.



CONNECTION WITH ATTACKS ON MILITARY INSTITUTIONS IN UKRAINE.


On October 21, the threat actor behind the RomCom RAT targeted the military
institutions of Ukraine. The initial infection vector is an email with an
embedded link leading to a fake website dropping the next stage downloader. The
lure is a fake document in the Ukrainian language called "Наказ_309.pdf"
(translated to English as "Order_309.pdf").



Figure 4 – The original link leads with a lure in the Ukrainian language
spoofing the original Ministry of Defense of Ukraine Website
 
That is an HTML file with a download URL of the next stage malicious Portable
Executable (PE) file.
 

Figure 5 – Part of the HTML code from the initial "Наказ_309.pdf" lure
 
Dropped malicious "AcroRdrDCx642200120169_uk_UA.exe" file has a valid digital
signature by Signer "Blythe Consulting sp. z o.o.".
 

Figure 6 – Malicious “AcroRdrDCx642200120169_uk_UA.exe” with a valid digital
signature
 

Upon execution, it drops the following file:
"C:\Users\Public\Libraries\WinApp.dll". The dropped "WinApp.dll" file contains a
single export – "fwdTst". By invoking the "rundll32.exe" proce3ss, the export is
run. Just like previously, the RomCom RAT final payload is extracted from the
resource and saved as "C:\Users\Public\Libraries\rtmpak.dll".

A legitimate clean "pdfFiller" application uses the same signer, "Blythe
Consulting sp. z o.o.". As mentioned above, the app has been abused in the
latest campaigns by the RomCom RAT threat actor.


Both RomCom RAT droppers and the final RAT include local Russian language and
Russian language variants:








TARGETS

Besides the latest campaign against military institutions from Ukraine, we have
found the RomCom threat actor targeting IT companies, food brokers, and food
manufacturing in the U.S., Brazil, and the Philippines.



Figure 7 – RomCom RAT threat actor targets
 


CONCLUSIONS

RomCom RAT threat actor is actively developing new techniques targeting victims
worldwide. It's highly likely to expect new threat actor campaigns. At the time
of publication, there is no apparent link to any attributed threat actor.

We are releasing referential IoCs from the previous and the latest campaign
targeting Ukraine.


INDICATORS OF COMPROMISE (IOCS)

Hashes (sha-256)

3e3a7116eeadf99963077dc87680952cca87ff4fe60a552041a2def6b45cbeea

983833334d168cd4274467f48171489e019b86b51e687738565a93dd3f58d0aa

05681ff7cae6b28f5714628a269caa5115da49c94737ce82ec09b4312e40fd26

59f0c3b7890f11217ad37764f225cd1c9d27747495d80dadde40b78edfbfa21e

e80d80521238008bf6f429e072eaf6030c06e2d3123d03ea9b36f5a232a1ec90

61e349518ca3f10d1e7aae0be95bc43dc23843c8acf177831cdfd48f26a07c72

a2511c5c2839bfbdf9c0f84f415d5eae168456e5d3f77f1becdbcd69fba4daa4

56a6fb2e2b6a801351175f2aa30a63d44e9ba69f177f6fe20dad348b4d6fb0d1

9f61259c966f34d89b70af92b430ae40dd5f1314ee6640d16e0b7b0f4f385738

c116a0aafdc2765e38b4f5efdf89960997abf0db81daa8f5380ce3c893e9af96

4fc9202ff84ef84b8c5e6140b66ac3d04570daf886a7f1ae31661ade882f963e

494b43198db467f506e9857f39ebe8f8bf6d871776eba092a7e2f2140046e16d

068117b406940ac510ed59efd1d7c7651f645a31bd70db6de16aba12c055aae6

80d78703de91d292c031275b4493966e363f5fa065edd79e0fd63aa2573b44a4

C2

CombinedResidency[.]org

optasko[.]com

4qzm[.]com

notfiled[.]com

 


APPLIED COUNTER MEASURES

import "pe"
import "math"

rule targeted_RomComRat : RomCom deployed via trojanized legitimate apps
{
    meta:
        description = "Rule detecting RomCom RAT used to attack Military
Institutions from Ukraine"
        author = " The BlackBerry Research & Intelligence team"
        date = "2022-18-10"
        license = "This Yara rule is provided under the Apache License 2.0
(https://www.apache.org/licenses/LICENSE-2.0) and open to any user or
organization, as long as you use it under this license and ensure originator
credit in any derivative to the BlackBerry Research & Intelligence Team"
        hash =
"9f61259c966f34d89b70af92b430ae40dd5f1314ee6640d16e0b7b0f4f385738"

      strings:
        //comDll.dll
        $x0 = {636f6d446c6c2e646c6c}
        //combase32.dll
        $x1 = {63006f006d006200610073006500330032002e0064006c006c00}         

    condition:
    uint16(0) == 0x5a4d and
    pe.number_of_sections == 7 and
    pe.sections[0].name == ".text" and
    math.entropy(pe.sections[0].raw_data_offset, pe.sections[0].raw_data_size)
>= 6.5 and
    pe.sections[1].name == ".rdata" and
    math.entropy(pe.sections[1].raw_data_offset, pe.sections[1].raw_data_size)
>= 5.2 and
    pe.sections[2].name == ".data" and
    pe.sections[3].name == ".pdata" and
    math.entropy(pe.sections[3].raw_data_offset, pe.sections[3].raw_data_size)
>= 5.5 and
    pe.sections[4].name == "_RDATA" and
    math.entropy(pe.sections[4].raw_data_offset, pe.sections[4].raw_data_size)
>= 2.4 and
    pe.sections[5].name == ".rsrc" and
    math.entropy(pe.sections[5].raw_data_offset, pe.sections[5].raw_data_size)
>= 2.85 and
    pe.sections[6].name == ".reloc" and
    math.entropy(pe.sections[6].raw_data_offset, pe.sections[6].raw_data_size)
>= 5.3 and
    pe.number_of_resources == 2 and
    pe.exports("startFile") and
    pe.exports("startInet") and
    all of ($x*)
}

 


RELATED READING:

 * Industroyer2 Malware Takes Aim at Ukraine Infrastructure
 * HeaderTip Backdoor Shows Attackers from China Preying on Ukraine
 * China-Based APT Plays Auto-Updater Card to Deliver WinDealer Malware
 * Yashma Ransomware, Tracing the Chaos Family Tree
   
   




ABOUT THE BLACKBERRY RESEARCH & INTELLIGENCE TEAM

The BlackBerry Research & Intelligence team examines emerging and persistent
threats, providing intelligence analysis for the benefit of defenders and the
organizations they serve.

--------------------------------------------------------------------------------

 * Share on Twitter
 * Share on Facebook
 * Share on Linked In
 * Email


Facebook Twitter YouTube Instagram

--------------------------------------------------------------------------------


CORPORATE

 * Company
 * Newsroom
 * Investors
 * Careers
 * Leadership
 * Corporate Responsibility
 * Certifications
 * Customer Success


DEVELOPERS

 * Enterprise Platform & Apps
 * BlackBerry QNX Developer Network


BLOGS

 * BlackBerry ThreatVector Blog
 * Developers Blog
 * Help Blog


LEGAL

 * Overview
 * Accessibility
 * Patents
 * Trademarks
 * Privacy Policy

© 2022 BlackBerry Limited. All rights reserved.

BlackBerry uses cookies to help make our website better. Some of the cookies are
necessary for proper functioning of the site, while others are to help us
understand how you use it. Learn More

Cookie Settings Decline Accept