Cybersecurity researchers are shedding light on a Russian-speaking cyberspy group called Nebulus Mantis, who has deployed a remote access trojan horse called Romcomrat since mid-2022.
ROMCOM “also employs advanced evasion techniques, including Living-The-Alland (LOTL) tactics and encrypted command and control (C2) communications, but will continue to evolve its infrastructure.
Tracked by the cybersecurity community under the name Cigar, Cuba, Storm-0978, Tropical Scorpius, UNC2596, and void rabisu, the ambiguous mantis is known to target critical infrastructure, government agencies, political leaders and NATO-related defence organizations.
Attack chains attached to the group usually include the use of spear phishing emails using weaponized document links to distribute Romcom rats. The domains and command and control (C2) servers used in these campaigns are hosted on BulletProof Hosting (BPH) services such as Luxhost and Aeza. The infrastructure is managed and procured by a threat actor named Larva-290.
Threat actors have been rated active since at least mid-2019, and previous iterations of the campaign have been given the codename Hancitor by the malware loader.
The one-stage ROMCOM DLL is designed to connect to a C2 server, download additional payloads using an interplanetary file system (IPFS) hosted in an attacker-controlled domain, execute commands on the infected host, and run the final stage C++ malware.
The final variant will establish communication with the C2 server and run commands, download and run more modules that can steal web browser data.
“Threat actors run the Tzutil command to identify the configured time zone of the system,” Prodaft said. “This discovery of system information reveals the geographic and operational context that can be used to align attack activity with the victim’s working hours or to circumvent certain time-based security controls.”
In addition to working with Windows Registry to set up persistence using Com Hijacking, ROMCOM is equipped to collect entitlements, perform system reconnaissance, enumerate active directories, make horizontal movements, and collect data of interest, including files, credentials, configuration details, and Microsoft Outlook backups.
The Romcom variants and victims are managed by a dedicated C2 panel, allowing operators to view device details and remotely issue over 40 commands to perform a variety of data collection tasks.
“The ambiguous Mantis acts as a sophisticated threat group employing a multiphase intrusion methodology, gaining initial access, execution, persistence and data removal,” the company said.
“Through the attack lifecycle, ambiguous mantis minimizes footprint, carefully balanced offensive intelligence collections and stealth requirements, suggesting key resources for state-sponsored backing or professional cybercrime organisations.”
The disclosure comes weeks after Prodaft exposed a ransomware group named Ruthless Mantis (aka PTI-288), and specializes in double horror by collaborating with affiliate programs such as Ragnar Locker and Inc Ransom.
The financially motivated threat actor, led by a threat actor called the Larva-127, utilizes a set of legal and custom tools to promote every stage of the attack cycle: discovery, persistence, privilege escalation, authority harvesting, lateral movement, C2 frameworks like Blue Tratel C4, Ragnar Loader.
“The ruthless Mantis is made up of experienced core members, but will actively integrate newcomers to continuously improve the effectiveness and speed of the business.”
“The ruthless Mantis offers cutting-edge resources to significantly expand the weapons of tools and methods, streamline processes and increase operational efficiency.”
Source link
