Numerous fraudulent websites masquerading as legitimate software, including ChatGPT, Gimp, AstraChat, and Go To Meeting, have been used in a new RomCom malware campaign by Cuba ransomware
affiliate Void Rabisu, also known as Tropical Scorpius, from December 2022 to April 2023, which was mostly targeted at Eastern Europe, according to BleepingComputer
Attackers have been using Google ads and phishing emails to redirect clicks to the spoofed sites, where MSI installers with the malicious "InstallA.dll" file could be downloaded, a Trend Micro report showed.
Such a DLL file facilitates the extraction of three other DLLs to the "%PUBLIC%Libraries" folder in charge of command-and-control functions. Further investigation revealed that more than 20 malicious commands have been added to the latest version of the RomCom malware, bringing the total number of commands to 42, some of which facilitate the download of various stealer components.
RomCom was also noted to have improved evasion capabilities enabled by the VMProtect software, as well as encryption techniques and the use of null bytes in C2 communications.