The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets.
Cybersecurity firm Trend Micro is tracking the activity cluster under the name Void Rabisu, which is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant).
“These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult,” security researchers Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin said.
Some of the impersonated apps spotted so far include AstraChat, Devolutions’ Remote Desktop Manager, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat.
RomCom RAT was first chronicled by Palo Alto Networks Unit 42 in August 2022, linking it to a financially motivated group deploying Cuba Ransomware (aka COLDDRAW). It’s worth noting that there is no evidence to suggest that the ransomware gang has any connection or affiliation with the Republic of Cuba.
images from Hacker News