The threat group known as RomCom, also identified as Tropical Scorpius or Void Rabisu, has been observed conducting a cyberattack campaign targeting organizations in the United States. According to a report from BlackBerry researchers, the targets included US-based firms providing aid to Ukraine as well as entities within the oil and gas sector.
This campaign is an extension of the group’s previous activities, which have included attacks against Ukrainian military and government bodies. The RomCom group is also known for its connections to the Cuba ransomware gang.
Attack Vector and Infection Chain
The attackers used phishing lures to distribute their malware, creating trojanized versions of legitimate software applications. The campaign utilized malicious installers for programs such as Advanced IP Scanner and pdfFiller, which were hosted on lookalike domains designed to deceive users. These domains closely mimicked the names of the authentic software providers.
The infection process began when a user downloaded and executed the malicious installer. This initial dropper then executed a loader, which was responsible for injecting the final RomCom backdoor payload into legitimate system processes. The malware targeted processes like svchost.exe or RuntimeBroker.exe for injection.
Malware Payload Capabilities
Once deployed, the RomCom backdoor provides the attackers with several data exfiltration capabilities. The malware is designed to collect and transmit sensitive information from the compromised system. Its functions include the ability to take screenshots of the user’s desktop, retrieve a list of running processes, and list files and folders on the machine.
The backdoor communicates with a command-and-control (C2) server using a custom protocol over Transport Layer Security (TLS) to send the stolen data. This encrypted communication channel helps conceal the exfiltration activity from network monitoring tools.
Concise Cyber 