The Computer Emergency Response Team of Ukraine (CERT-UA) has discovered a new spear-phishing campaign aimed at Ukrainian government organizations distributing a version of the RomCom remote access trojan (RAT).
The campaign involves spear-phishing emails that ostensibly come from the General Staff of the Armed Forces of Ukraine. The email contains a lure document in the Ukrainian language called “Наказ_309.pdf” and an embedded link that leads to a fake website with a warning of a need to update PDF Reader software. Upon clicking on the download button, an executable file named “AcroRdrDCx642200120169_uk_UA.exe” is loaded on the system.
Once executed, this file drops another file named “rmtpak.dll,” which is the RomCom RAT.
CERT-UA has attributed this campaign to a threat actor named UNC2596 (Tropical Scorpius), a group believed to be operating the Cuba ransomware.
According to BlackBerry's security team, who released their own technical report on this threat, besides Ukraine, the RomCom threat actor is also targeting IT companies, food brokers, and food manufacturing in the US, Brazil, and the Philippines.
