A glance at the recent campaign
- The fake site was linked to a malicious OneDrive folder through the “Videos & Photos’ button.
- This folder contained two compressed files and a malware downloader named “Unpublished Pictures.”
- While two compressed files redirected visitors to the original photos from the event, the malware downloader appeared to be an executable file signed by Elbor LLC to look legitimate.
- When executed, the malware downloader extracted 56 pictures collected randomly by threat actors from individual posts on various social media platforms.
- While the victim is distracted by the pictures, the downloader sends an HTTP GET request to download further malware payloads.
About RomCom 4.0
According to researchers, the latest variant has undergone some significant changes in its architecture, making it lighter and stealthier.
- Unlike the previous variant that included 42 commands, RomCom 4.0 supports only 10 commands to perform a wide range of malicious activities on victims’ systems.
- Furthermore, it incorporates new features related to TLS 1.2 to provide secure communication with the C2 server.
It is to be noted that threat actors are still developing the malware, adding new modules as needed to the core component to expand their targets. The addition of the new modules can make it difficult for security experts to detect the backdoor. Organizations are advised to stay protected by staying updated on the RomCom attack trends and making use of the IoCs shared by Trend Micro.