Cybersecurity researchers have make clear a Russian-speaking cyber espionage group known as Nebulous Mantis that has deployed a distant entry trojan known as RomCom RAT since mid-2022.
RomCom “employs superior evasion strategies, together with living-off-the-land (LOTL) techniques and encrypted command and management (C2) communications, whereas constantly evolving its infrastructure – leveraging bulletproof internet hosting to take care of persistence and evade detection,” Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker Information.
Nebulous Mantis, additionally tracked by the cybersecurity neighborhood below the names CIGAR, Cuba, Storm-0978, Tropical Scorpius, UNC2596, and Void Rabisu, is thought to focus on essential infrastructure, authorities businesses, political leaders, and NATO-related protection organizations.
Assault chains mounted by the group sometimes contain using spear-phishing emails with weaponized doc hyperlinks to distribute RomCom RAT. The domains and command-and-control (C2) servers utilized in these campaigns have been hosted on bulletproof internet hosting (BPH) providers like LuxHost and Aeza. The infrastructure is managed and procured by a menace actor named LARVA-290.
The menace actor is assessed to be energetic since at the least mid-2019, with earlier iterations of the marketing campaign delivering a malware loader codenamed Hancitor.
The primary-stage RomCom DLL is designed to hook up with a C2 server and obtain further payloads utilizing the InterPlanetary File System (IPFS) hosted on attacker-controlled domains, execute instructions on the contaminated host, and execute the final-stage C++ malware.
The ultimate variant additionally establishes communications with the C2 server to run instructions, in addition to obtain and execute extra modules that may steal internet browser information.
“The menace actor executes tzutil command to determine the system’s configured time zone,” PRODAFT stated. “This technique data discovery reveals geographic and operational context that can be utilized to align assault actions with sufferer working hours or to evade sure time-based safety controls.”
RomCom, moreover manipulating Home windows Registry to arrange persistence utilizing COM hijacking, is provided to reap credentials, carry out system reconnaissance, enumerate Lively Listing, conduct lateral motion, and accumulate information of curiosity, together with recordsdata, credentials, configuration particulars, and Microsoft Outlook backups.
RomCom variants and victims are managed by the use of a devoted C2 panel, permitting the operators to view gadget particulars and situation over 40 instructions remotely to hold out a wide range of data-gathering duties.
“Nebulous Mantis operates as a classy menace group using a multi-phase intrusion methodology to realize preliminary entry, execution, persistence, and information exfiltration,” the corporate stated.
“All through the assault lifecycle, Nebulous Mantis displays operational self-discipline in minimizing their footprint, rigorously balancing aggressive intelligence assortment with stealth necessities, suggesting both state-sponsored backing or skilled cybercriminal group with important assets.”
The disclosure comes weeks after PRODAFT uncovered a ransomware group named Ruthless Mantis (aka PTI-288) that focuses on double extortion by collaborating with affiliate packages, corresponding to Ragnar Locker, INC Ransom, and others.
Led by a menace actor dubbed LARVA-127, the financially motivated menace actor makes use of an array of authentic and customized instruments to facilitate every section of the assault cycle: discovery, persistence, privilege escalation, protection evasion, credential harvesting, lateral motion, and C2 frameworks like Brute Ratel c4 and Ragnar Loader.
“Though Ruthless Mantis consists of extremely skilled core members, in addition they actively combine newcomers to repeatedly improve the effectiveness and velocity of their operations,” it said.
“Ruthless Mantis has considerably expanded its arsenal of instruments and strategies, offering them with state-of-the-art assets to streamline processes and increase operational effectivity.”
Source link