Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Remote Access Trojan. Show all posts
ResolverRAT
Cybersecurity malware Malware analysis Phishing Attacks Remote Access Trojan ResolverRAT

New ResolverRAT Malware Targets Healthcare and Pharma Sectors Worldwide

 

A newly discovered remote access trojan (RAT), dubbed ResolverRAT, is being actively used in targeted cyberattacks against healthcare and pharmaceutical entities across various countries. Identified by cybersecurity researchers at Morphisec, the malware is delivered through phishing emails and uses in-memory execution tactics that allow it to bypass most traditional endpoint security solutions.

The attack campaign is tailored to different regions, with phishing messages crafted in native languages such as Czech, Italian, Turkish, Hindi, Portuguese, and Indonesian. These deceptive emails often reference legal or copyright-related issues to lure users into clicking malicious links. Victims unknowingly download a legitimate executable, hpreader.exe, which is manipulated through a technique called reflective DLL loading—executing the malicious code entirely in memory.

Morphisec researchers note that the attack leverages DLL side-loading: by placing a malicious DLL alongside a trusted but vulnerable application, the malware is executed when the genuine software is launched. Further, ResolverRAT exploits the .NET ‘ResourceResolve’ event to load malicious assemblies, avoiding typical flagged API calls.

“This resource resolver hijacking represents malware evolution at its finest – utilizing an overlooked .NET mechanism to operate entirely within managed memory, circumventing traditional security monitoring focused on Win32 API and file system operations,” wrote Morphisec’s Nadav Lorber in a blog.

ResolverRAT is equipped with multiple anti-analysis capabilities. It features a complex state machine that obfuscates its control flow and fingerprints system behaviors, making it difficult for sandboxes and debugging tools to detect or analyze.

To maintain persistence, the malware writes XOR-obfuscated keys into up to 20 Windows registry entries and replicates itself in directories such as Startup and LocalAppData. It connects to its command-and-control (C2) server at irregular intervals, further concealing its network activity from pattern-based detection tools.

The RAT handles commands using separate threads, which enables parallel task execution and reduces crash risks. For data exfiltration, it employs a chunked transfer method—splitting files larger than 1MB into smaller 16KB segments sent only when the socket is ready, a strategy that supports stealth and transfer recovery in poor network conditions.

ResolverRAT encrypts its payload with AES-256 in CBC mode via the .NET System.Security.Cryptography library. The keys and IVs are obfuscated and only decoded at runtime. Additionally, the payload is compressed using GZip and runs exclusively in memory to minimize detection risk.

While some of the phishing infrastructure resembles earlier Rhadamanthys and Lumma campaigns, Morphisec emphasized that the unique design of ResolverRAT's loader and payload warrants its classification as a new malware strain.
Read more »
Triada
Android devices Android Smartphone counterfeit Cyberattacks CyberCrime Cybersecurity CyberThreat Global Security malware Malware Trojan Remote Access Trojan Triada

Triada Malware Embedded in Counterfeit Android Devices Poses Global Security Risk

 


There has been a significant increase in counterfeit Android smartphones in recent years. Recently, cybersecurity investigations have revealed a concern about counterfeit Android smartphones. These unauthorized replicas of popular mobile devices, which are being widely circulated and are pre-loaded with Triada, a sophisticated Android-based malware, are being offered at attractively low prices, causing widespread confusion and widespread fear. 

As a Remote Access Trojan (RAT) that was originally discovered during campaigns targeting financial and communication applications, Triada can be used to gain covert access to infected devices through covert means. Triada is designed to steal sensitive data from users, such as login information, personal messages, and financial information, which is then discreetly harvested. 

The cybersecurity experts at Darktrace claim that Triada employs evasion techniques to avoid detection by the threat intelligence community. In some cases, data can be exfiltrated through command-and-control servers using algorithmically generated domain names, which is an approach that renders conventional threat monitoring and prevention tools ineffective because of this approach. 

In the wake of a recent discovery, it has been highlighted that malicious software embedded on the firmware of mobile devices, particularly those sourced from vendors that are unknown or unreliable, poses a growing cybersecurity threat. As a consequence of the presence of malware prior to user activation, the threat becomes much more serious. Experts recommend that consumers and businesses exercise greater caution when procuring mobile hardware, especially in markets where devices are distributed without any government regulation. 

Additionally, it has become more important for mobile threat defense systems to be more sophisticated, capable of detecting deeply embedded malware as well as ensuring their effectiveness. There is a strong need for robust supply chain verification methods, effective endpoint security strategies, and an increased awareness of counterfeit electronics risks as a result of these findings. Kaspersky Security experts have warned consumers against purchasing significant discounts on Android smartphones from unverified online platforms that are deemed untrustworthy. 

There have been reports that more than 2,600 compromised devices have been delivered to unsuspecting users, most of whom are already infected with a sophisticated form of mobile malware known as Triada, which has been found to be prevalent in Russia. According to Kaspersky's research, the latest variant of Trojan is not merely installed as a malicious application, but is incorporated into the firmware of the device as well. 

Android's system framework layer is where this malware is situated, which makes it possible for it to infiltrate every single process running within the system. Because of this deep-level integration, the malware is able to access the entire system, while evading traditional detection tools, resulting in a particular difficulty in identifying or removing it using conventional techniques. This Trojan, which was first identified in 2016, has gained notoriety due to its ability to operate mainly in the volatile memory of an Android device, making it extremely difficult to detect. Its modular nature allows it to operate on a variety of Android devices. 

It has become more complex and stealthy over the years, and multiple instances have been documented in which the malware has been integrated into the firmware of budget Android smartphones that are sold through unreliable retailers that have been unauthorized. Triada is a highly persistent threat because its firmware-level embedding makes it impossible to remove it using conventional removal techniques, and it requires a full ROM reset to eradicate. 

According to Kaspersky's latest analysis, the most recent strain of Triada continues to possess sophisticated evasion capabilities. To maintain continuous control and access, the malware burrows into the Android system framework and replicates itself across all active processes. When the malware is activated, it executes a variety of malicious functions on compromised devices. It is possible for hackers to hijack the credentials of users from social media networks, manipulate WhatsApp and Telegram to send or delete messages under the guise of the user, intercept or reroute calls by using spoofing phone numbers, and more. 

Further, this malware allows users to make premium SMS payments and monitor web activity, alter hyperlinks, replace cryptocurrency wallet addresses during transactions, and monitor web activity. This malware is also capable of installing other programs remotely and disrupting network connectivity to bypass security measures or hinder forensic investigations, thus resulting in unauthorized financial losses.

According to Kaspersky's telemetry, this Triada variant has already been diverted approximately $270,000 worth of cryptocurrency, even though the full extent of the theft remains unclear due to the fact that privacy-centric cryptocurrencies such as Monero are being used in the operation. Although it is still unclear what the exact vector of infection was, researchers strongly believe that an infection could have occurred during the manufacturing or distribution stages of the device.

It is increasingly becoming clear that modified variants of Triada are being found in devices other than smartphones, including tablets, TV boxes, and digital projectors, that are based on Android, as well as smartphones. A broader fraudulent campaign known as BADBOX has been associated with these infections, which are often the result of compromised hardware supply chains and unregulated third-party marketplaces that have allowed the malware to gain initial access to the user's system. 

Triada developed into a backdoor that was built into the Android framework backdoor in 2017. This backdoor allows threat actors to remotely install more malware on the affected devices and exploit the devices for malicious purposes using various malicious operations. Google's 2019 disclosure revealed that, as a general rule, infection typically occurs during the production stage when original equipment manufacturers (OEMs) outsource custom features, such as facial recognition, to third parties. 

In such cases, these external developers may modify entire system images, and they have been implicated in injecting malware such as Triada into the operating system. Google's identification as Yehuo or Blazefire led to one of these vendors being cited as a potential contributor to the spread of the malware. 

Kaspersky confirmed in its analysis of samples that the Trojan is integrated into the system framework, which facilitates its replication across all processes on the device and allows unauthorized actions such as credential thefts, covert communications, manipulation of calls and SMS, substitution of links, activation of premium services, and disruption of network connectivity to occur. There's no doubt that Triada is not an isolated example of supply chain malware, as Avast revealed in 2018 that several Android devices made by manufacturers like ZTE and Archos are also preloaded with an adware called Cosiloon that is preloaded on them. 

According to Kaspersky's ongoing investigation, the latest strain of Triada has been found to be embedded directly within the firmware of compromised Android devices, primarily in their system framework. With this strategic placement, the malware is able to integrate itself into all the active processes on the device, giving the attacker complete control over the entire system. 

In a recent article published by Kaspersky Security, cybersecurity specialist Dmitry Kalinin highlighted the persistant threat posed by the Triada malware family, describing it as one of the most intricate and persistent malware families that targets Android devices. This was due to the fact that malware can often be introduced to devices before they even reach the end user, probably because of a compromised point along the way in the manufacturing or supply chain process, leaving retailers unaware that the devices they are distributing are already infected. 

The malware can perform a wide variety of harmful activities once it becomes active, including taking control of email accounts and social media accounts, sending fraudulent messages, stealing digital assets such as cryptocurrency, spying on users, and remotely installing malicious software to further harm their system. 

A growing number of experts advise consumers and vendors to be extremely cautious when sourcing devices, especially from unofficial or heavily discounted marketplaces, as this system is deeply integrated and has the potential to lead to large-scale data compromises, particularly when the devices are purchased online. For users to be safe from deeply embedded, persistent threats like Triada, it is imperative that the supply chain be audited more stringently, as well as robust mobile threat defense solutions are implemented.
Read more »
Remote Access Trojan
AsyncRAT Bitbucket malware Remote Access Trojan

AsyncRAT Malware Exploits Bitbucket to Launch Multi-Stage Attack

 

G DATA Security Lab has discovered a sophisticated malware operation that used Bitbucket, a popular code hosting platform, to propagate AsyncRAT, a well-known remote access trojan. 

According to the study, the attackers employed a multi-stage assault strategy, exploiting Bitbucket to host and disseminate malware payloads while circumventing detection. 

The malware operators employed multiple layers of Base64 encoding to obfuscate the code and hide the true nature of the assault. “After peeling back those layers we were able to uncover the full story and key indicators of compromise (IOCs) we found while analyzing the AsyncRAT payload delivery,” the report explains. 

Bitbucket's trustworthy reputation as a software development platform has made it a popular target for attackers. The perpetrators employed Bitbucket repositories to host a variety of malicious payloads, including the AsyncRAT.

"Attackers have turned to Bitbucket, a popular code hosting platform, to host their malicious payloads," the researchers wrote, emphasising that this strategy gives "legitimacy" and "accessibility" for propagating the malware. 

Modus operandi

The attack starts with a phishing email that includes a malicious VBScript file called "01 DEMANDA LABORAL.vbs," which runs a PowerShell command. This initial stage obfuscates and delivers the payload via many levels of string manipulation and Base64 encoding. "The VBScript constructs and executes a PowerShell command, effectively transitioning the attack to the next stage," according to the report. 

The second stage involves the PowerShell script downloading a file from a Bitbucket repository. This file, named "dllhope.txt," contains a Base64-encoded payload that is decrypted into a.NET built file, disclosing the true nature of the AsyncRAT malware. 

When successfully deployed, AsyncRAT gives attackers complete remote control over the infected system. "AsyncRAT provides attackers with extensive control over infected machines, enabling them to perform a wide range of malicious activities," according to G DATA's investigation. These actions include remote desktop control, file management, keylogging, access to webcams and microphones, and unauthorised command execution. 

The report also illustrates how attackers exploit anti-virtualization measures to evade detection in sandbox environments. "If the flag parameter contains '4,' the code checks for the presence of virtualisation tools like VMware or VirtualBox, likely to avoid analysis," indicated G DATA. Persistence is achieved through a variety of tactics, including Windows registry alterations and the establishment of startup shortcuts, which ensure the malware remains active even after the system reboots.
Read more »
Trojan
Cyber Attacks IT Sector Malware Attack Ransomware attack Ransomware Threat Remote Access Trojan Trojan

New Ransomware Threat: Hunters International Deploys SharpRhino RAT

 

In a troubling development for cybersecurity professionals, the Hunters International ransomware group has introduced a sophisticated new remote access trojan (RAT) called SharpRhino. This C#-based malware is specifically designed to target IT workers and breach corporate networks through a multi-stage attack process. The malware’s primary functions include achieving initial infection, elevating privileges on compromised systems, executing PowerShell commands, and ultimately deploying a ransomware payload. 

Recent findings from Quorum Cyber researchers reveal that SharpRhino is distributed via a malicious site masquerading as Angry IP Scanner, a legitimate networking tool widely used by IT professionals. The deceptive website uses typosquatting techniques to lure unsuspecting users into downloading the malware. This approach highlights a new tactic by Hunters International, aiming to exploit the trust IT workers place in well-known tools. The SharpRhino RAT operates through a digitally signed 32-bit installer named ‘ipscan-3.9.1-setup.exe.’ 

This installer contains a self-extracting, password-protected 7z archive filled with additional files necessary for the malware’s execution. Upon installation, SharpRhino modifies the Windows registry to ensure persistence on the compromised system and creates a shortcut to Microsoft.AnyKey.exe, which is normally a Microsoft Visual Studio binary but is abused here for malicious purposes. Additionally, the installer drops a file named ‘LogUpdate.bat,’ which executes PowerShell scripts to run the malware stealthily. To facilitate command and control (C2) operations, SharpRhino creates two directories: ‘C:\ProgramData\Microsoft: WindowsUpdater24’ and ‘LogUpdateWindows.’ 

These directories are used to manage communication between the malware and its operators. SharpRhino also includes hardcoded commands such as ‘delay’ to set the timer for the next POST request and ‘exit’ to terminate communication. This enables the malware to execute various dangerous actions, including launching PowerShell commands. For instance, Quorum Cyber researchers demonstrated the malware’s capability by launching the Windows calculator. Hunters International, which began operations in late 2023, has been associated with several high-profile ransomware attacks. Notable victims include U.S. Navy contractor Austal USA, Japanese optics giant Hoya, Integris Health, and the Fred Hutch Cancer Center. 

In 2024 alone, the group has claimed responsibility for 134 ransomware attacks, ranking it among the top ten most active ransomware operators globally. The deployment of SharpRhino through a fake website underscores Hunters International’s strategic focus on IT professionals, leveraging their reliance on familiar software to infiltrate corporate networks. To protect against such threats, users should exercise caution with search results and sponsored links, use ad blockers, and verify the authenticity of download sources. Implementing robust backup plans, network segmentation, and keeping software up-to-date are essential measures to mitigate the risk of ransomware attacks.
Read more »
STR RAT
Credential Theft cybersecurity threat Java Malware keylogging Malicious Payloads malware Phishing Campaigns Remote Access Trojan STR RAT

STR RAT: A Persistent Remote Access Trojan

 

The STR RAT is a remote access trojan (RAT) written in Java, first detected in 2020. Like other RATs, it allows threat actors full control of an infected machine. STR RAT is capable of keylogging, credential theft, and deploying additional malicious payloads. 

The malware is updated annually, aligning with its renewed use by threat actors. Cofense's analysis from January 2023 to April 2024 reveals that 60% of STR RAT samples are delivered directly via email rather than embedded links.

History of STR RAT

STR RAT resembles a seasonal flu, with yearly updates making it more prominent for short periods. Initially discovered on an antivirus forum in 2020, version 1.2 already featured keylogging, password theft, and backdoor access, along with a fake “.crimson” ransomware module that only renamed files. In 2021, Microsoft Threat Intelligence highlighted STR RAT in phishing campaigns. By 2022, it spoofed the Maersk shipping brand and employed a polyglot file technique, allowing execution as an MSI or Java file. In 2023, version 1.6 used Zelix KlassMaster and Allatori for code obfuscation. In 2024, STR RAT was uploaded to legitimate services like GitHub and AWS, making it harder to detect.

STR RAT steals passwords from Chrome, Firefox, Internet Explorer, and email clients like Outlook, Thunderbird, and Foxmail. Key commands include o-keylogger for logging keystrokes, down-n-exec for file execution, remote-screen for commandeering the computer, and power-shell for PowerShell access.

Current Usage and Impact

Though not as prevalent as other RATs like Remcos, STR RAT showed sustained activity from March to August 2023, likely due to the new version and polyglot file technique. In March 2024, significant activity was noted again, attributed to the use of legitimate services like GitHub and AWS for hosting and delivering the malware. STR RAT is typically delivered via email as an archive containing a .jar file, requiring a Java Runtime Environment (JRE) to execute. These archives may also contain necessary JRE binaries or download them from Maven and GitHub repositories.

Delivery Mechanisms

STR RAT's second most common delivery mechanism is loaders, which reach out to a payload location to download and run the malware. Jar Downloaders, CVE-2017-11882 exploits in Microsoft Office, and Windows Registry File downloaders are commonly used loaders. Additionally, embedded URLs in emails or attached PDFs often lead to the malware hosted on legitimate services like AWS, GitHub, and Discord’s CDN.

Unlike loaders, droppers contain the malware to be deployed. STR RAT's most common dropper is the JavaScript Dropper (JS Dropper), a .js file that executes natively on Windows. JS Droppers are usually attached to emails and contain both the dropper and STR RAT.

Behavior and Capabilities

Upon execution, STR RAT places files, creates persistence, and installs dependencies. It uses geolocator services to geo-fingerprint infected computers and sends system information to its command-and-control (C2) server. The malware also uses legitimate Java libraries for keylogging and database connectivity.

Detection and Hunting

Different versions of STR RAT leave various indicators of compromise (IOCs). After execution, STR RAT copies itself to multiple locations, creates a \lib\ folder with legitimate files, and generates a XXXXlock.file in the user's local home profile. The configuration can be observed through memory analysis, revealing the C2 server, port, and domain.

Persistence

STR RAT can create persistence through Registry Run Keys, Startup Folder entries, or Scheduled Tasks, ensuring the malware runs every time the user logs in. Endpoint detection and response software can monitor specific locations for signs of STR RAT persistence.

Network Traffic

STR RAT communicates with C2 servers using subdomains of free dynamic DNS services and legitimate services like GitHub and Maven. HTTP is used for C2 communications, though the port is not the standard tcp/80.

Legitimate Services

STR RAT reaches out to legitimate services for hosting tools and malware. Indicators of suspicious activity include access to GitHub and Maven repositories in conjunction with other malicious behaviors.

By understanding STR RAT's history, capabilities, and delivery mechanisms, cybersecurity professionals can better detect and defend against this persistent threat.
Read more »
Social Engineering
Job Offer malware python Remote Access Trojan Social Engineering

North Korean Scammers Lure Developers with Fake Job Offers




A new cyber scam, dubbed "Dev Popper," is preying on software developers through fake job interviews. This elaborate ruse, masquerading as genuine employment opportunities, aims to infiltrate the victim's computer with a harmful Python backdoor, posing serious cyber threats.


How The Scam Operates?

In the multi-stage infection process employed by the "Dev Popper" cyber scam, the attackers orchestrate a sophisticated chain of events to deceive their targets gradually. It commences with the perpetrators posing as prospective employers, initiating contact with unsuspecting developers under the guise of offering job positions. As the sham interview progresses, candidates are coerced into executing seemingly innocuous tasks, such as downloading and executing code from a GitHub repository, all purportedly part of the standard coding assessment. However, unbeknownst to the victim, the innocuous-seeming code harbours hidden threats. These tasks, disguised as routine coding tests, are actually devised to exploit the developer's trust and gain unauthorised access to their system.


The Complex Attack Chain

Once the developer executes the provided code, a concealed JavaScript file springs into action. This file, leveraging commands, fetches another file from an external server. Within this file is a malicious Python script, ingeniously disguised as a legitimate component of the interview process. Once activated, the Python script surreptitiously collects vital system information and relays it back to the attackers. This multi-faceted approach, blending social engineering with technical deception, underscores the sophistication and danger posed by modern cyber threats.


Capabilities of the Python Backdoor

The Python backdoor, functioning as a Remote Access Trojan (RAT), boasts an array of intrusive capabilities. These include establishing persistent connections for continuous control, stealing files, executing commands remotely, and even secretly monitoring user activity by logging keystrokes and clipboard data.


The Rising Threat 

While the orchestrators behind "Dev Popper" remain elusive, the proliferation of fake job offers as a means for malware distribution is a growing concern. Exploiting the developer's reliance on job applications, this deceitful tactic once again forces us to realise the need for heightened vigilance among unsuspecting individuals.


How To Protect Yourself?

To mitigate the risk of falling victim to such cyber threats, it is imperative for developers and individuals to exercise caution and maintain awareness. When encountering job offers or unfamiliar requests for software-related tasks, verifying the legitimacy of the source and adopting a sceptical stance are crucial measures. 


Read more »
Trojan
cryptomining malware Linux malware RAT Remote Access Trojan Trend Micro Trojan

This Linux-Targeting Malware is Becoming Even More Potent


A trojan software has been added to the capabilities of a cryptomining malware campaign that targets Linux-based devices and cloud computing instances, potentially making attacks more severe. 

This cryptomining campaign, as described by cybersecurity experts at Trend Micro, uses Linux computers' processing power, in order to sneakily compromise Linux servers and mine for Monero. 

Cryptomining attacks are frequently distributed by utilizing common cybersecurity flaws or by being concealed inside cracked software downloads. 

One compromised system is unlikely to generate much profit from cryptomining malware, but attackers infect a vast network of compromised servers and computers to produce as much cryptocurrency as possible, with the related energy bill being unknowingly carried by the victim. 

Because the affected user is unlikely to notice the decrease in system performance unless the machine is pushed to its limit, the attacks usually go unnoticed. Large networks of infected systems can thus generate a consistent income for threat actors, which is why this method has become a prevalent form of malware. 

Remote Access Trojan (RAT) 

Cryptojacking campaign comprises a remote access trojan (RAT) in its attacks – the reason why it stands out from other cyberthreat campaigns. Chaos RAT, a trojan malware is free and open source, and allows threat actors to take charge of any operating system. 

The RAT is downloaded with XMRig miner, which is utilized by threat actors in order to mine cryptocurrency, comprising of a shell script which is used to eliminate competing miners that could have previously been set up on the system. 

Chaos RAT has a variety of potent functions, like the ability to download, upload and delete files, take screenshots, access file explorer, as well as open URLs. 

In a blog post, written by Trend Micro researchers David Fisher and Oliveira, stated, “On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor […] However, given the tool's array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.” 

In order to secure networks and cloud services against cryptomining malware and numerous other cyberattacks, organizations are advised to employ generic best cybersecurity measures, such as timely patching and updating of software and applications, in order to mitigate the risks of vulnerability being exploited in the outdated versions.  

Read more »
Remote Access Trojan
Malicious Software malware Phishing mail RAT Remote Access Trojan

Hackers Using Malicious Versions of Popular Software Brands to Propagate RomCom RAT

 

The RomCom RAT (remote access trojan) hacker has launched a new campaign impersonating the official websites of popular software brands SolarWinds, KeePass, and PDF Technologies to propagate malware. 

Researchers from BlackBerry uncovered the malicious campaign while analyzing network artifacts linked with RomComRAT infections resulting from attacks targeting Ukrainian military institutions and some English-speaking nations including the United Kingdom. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, given the targets and the nature of the attack, there's more than just a cybercriminal motivation in play. It's quite likely there’s state-level planning behind the scenes. 

"At its core, though, this is an attack against human targets,” Parkin said. “They are primarily relying on victims being socially engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.” 

The RomCom hacker installed clone websites on malicious domains similar to the legitimate ones that they registered. Subsequently, the threat actor trojanized a legitimate application and propagated via the decoy website, deploying targeted phishing emails to the victims. In some cases, the attackers used additional infector vectors. 

The malicious campaign seems like a direct copycat of some attacks we examined during the pandemic where we witnessed a number of vendor products and support tools being impersonated or "wrapped" with malware, stated Andrew Barratt, vice president at Coalfire. 

“The wrapping means that the underlying legitimate tool is still deployed, but as part of that deployment some malware is dropped into the target environment,” Barratt explained. “Major APTs like FIN7 have used these tactics in the past. Leveraging well-known brands that they have probably identified are in use gives an intruder a high possibility of a positive response by a user they mislead.” 

Earlier this year in August, Palo Alto Networks’ Unit 42 linked the RomCom RAT with an affiliate of the Cuba Ransomware named 'Tropical Scorpius,' as this was the first actor to employ the malware with features like ICMP-based communications, commands for file manipulation, process hatching and spoofing, data exfiltration, and activating a reverse shell.

However, the BlackBerry researchers said that there was no evidence for that assumption, and its report mentions Cuba Ransomware and Industrial Spy as possibly related to RomCom RAT. Hence, it remains unclear who is behind RomCom RAT or what are the motives behind the attacks.
Read more »
Subscribe to: Posts (Atom)