Ukrainian military targeted with RomCom RAT in new spear-phishing campaign

Ukrainian military entities are being targeted by a spear-phishing campaign spreading the RomCom remote access trojan since Oct. 21, The Hacker News reports. While the unknown threat actor behind RomCom RAT previously impersonated the Advanced IP Scanner app, the latest campaign involved spoofing the pdfFiller app to spread the trojan malware, according to a BlackBerry report. Phishing emails sent to the Ukrainian military included an embedded link, which redirects to a phony site to facilitate next-stage downloader deployment. Such a downloader was found to have the same signer as the legitimate pdfFiller version. U.S.-, Brazil-, and Philippines-based IT firms, food manufacturers, and food brokers were also targeted by the campaign. "This campaign is a good example of the blurred line between cybercrime-motivated threat actors and targeted attack threat actors. In the past, both groups acted independently, relying on different tooling. Today, targeted attack threat actors rely more on traditional tooling, making attribution harder," said BlackBerry researcher Dmitry Bestuzhev.