If you stumble upon a Google ad promoting a website where you could download well-known, or made-up software, be very careful, as it very well might just be a malvertising campaign.
RomCom is a backdoor malware that can do all sorts of nasties, from running cmd.exe, to dropping more malicious payloads on the target endpoint, from exfiltrating data from the compromised devices, to running AnyDEsk in a hidden window, from compressing and sending folders to hackers’-owned servers, to setting up a proxy via SSH.
Furthermore, RomCOm can gran screenshots from the compromised computer, steal cookies from popular browsers, steal cryptocurrency wallet data, chat messages, and login credentials and passwords.
Recently, cybersecurity researchers from Trend Micro discovered a new malvertising campaign pushing RomCom to unsuspecting victims. The threat actors created a number of fake websites for legitimate software such as Gimp, Go To Meeting, ChatGPT, WinDirSTrat, AstraChat, System Ninja, Devolutions’ Remote Desktop Manager, and others.
Targets in Eastern Europe
Then, they would buy advertising space via Google’s ad network to promote the websites. Google ads aside, the attackers have also engaged in “highly targeted” phishing attacks, going for victims in Eastern Europe, it was said.
While the websites offer various software for download, in reality the victims are getting MSI installers, trojanized with a malicious DLL file called InstallA.dll. This file drops three more DLLs into the target device, which communicate with the C2 server and receive further instructions.
The researchers also explained how the attackers started using VMProtec software code, to protect from antivirus programs. They also use encryption for the payload. Furthermore, the software seems to be signed by legitimate companies allegedly based in northern America. However, these companies’ websites are “fulled with fake or plagiarized content”, BleepingComputer has found.
RomCom’s goals vary from campaign to campaign, the publication further states, claiming that the group was seen engaging in both ransomware and espionage.
“Whatever the case, it is a versatile threat that can cause significant damage,” the report concludes.