A previously unknown RomCom RAT threat actor is now targeting Ukrainian military institutions, BlackBerry Research and Intelligence has revealed in a series of images and video clips from the past two months, as well as the recent attacks on Ukrainian government institutions.

BlackBerry’s first coverage of RomCom RAT was in December 2018, when two sets of images were published that showed attacks on Ukraine institutions. At the time, it was unknown whether these attacks were connected to the RomCom RAT threat actor – which we now know they are – and they highlighted what appears to be a group (or individual) testing its infrastructure and abilities, with an eye toward mass distribution.

The attacker’s main goal appeared to be establishing a network of command-and-control servers, with which the attackers could manage their presence on victims’ devices and extract data such as contacts or screenshots. Some of the attackers’ command-and-control infrastructure was created using compromised devices that control the domain names. The attackers used this method to avoid directly registering such domains (which would potentially reveal their intent); in addition, these compromised hosts can be used to redirect traffic and DNS lookups to the attacker’s IP addresses, thereby masking their true identities.

In April 2019, a set of RomCom RAT samples was added to the malware database and was discovered on a network that also contained devices with other offensive threats. The RomCom samples have a major code overlap with five other RomCom RAT samples from December 2018; however, there are some differences in the code compared to these previous ones.

‍

Source: Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries - AlienVault - Open Threat Exchange