Cybersecurity researchers have make clear a Russian-speaking cyber espionage group known as Nebulous Mantis that has deployed a distant entry trojan known as RomCom RAT since mid-2022.
RomCom “employs superior evasion strategies, together with living-off-the-land (LOTL) ways and encrypted command and management (C2) communications, whereas constantly evolving its infrastructure – leveraging bulletproof internet hosting to keep up persistence and evade detection,” Swiss cybersecurity firm PRODAFT mentioned in a report shared with The Hacker Information.
Nebulous Mantis, additionally tracked by the cybersecurity group beneath the names CIGAR, Cuba, Storm-0978, Tropical Scorpius, UNC2596, and Void Rabisu, is understood to focus on essential infrastructure, authorities businesses, political leaders, and NATO-related protection organizations.
Assault chains mounted by the group usually contain using spear-phishing emails with weaponized doc hyperlinks to distribute RomCom RAT. The domains and command-and-control (C2) servers utilized in these campaigns have been hosted on bulletproof internet hosting (BPH) companies like LuxHost and Aeza. The infrastructure is managed and procured by a menace actor named LARVA-290.
The menace actor is assessed to be energetic since at the very least mid-2019, with earlier iterations of the marketing campaign delivering a malware loader codenamed Hancitor.
The primary-stage RomCom DLL is designed to hook up with a C2 server and obtain further payloads utilizing the InterPlanetary File System (IPFS) hosted on attacker-controlled domains, execute instructions on the contaminated host, and execute the final-stage C++ malware.
The ultimate variant additionally establishes communications with the C2 server to run instructions, in addition to obtain and execute extra modules that may steal net browser information.
“The menace actor executes tzutil command to establish the system’s configured time zone,” PRODAFT mentioned. “This method info discovery reveals geographic and operational context that can be utilized to align assault actions with sufferer working hours or to evade sure time-based safety controls.”
RomCom, in addition to manipulating Home windows Registry to arrange persistence utilizing COM hijacking, is supplied to reap credentials, carry out system reconnaissance, enumerate Energetic Listing, conduct lateral motion, and gather information of curiosity, together with recordsdata, credentials, configuration particulars, and Microsoft Outlook backups.
RomCom variants and victims are managed by way of a devoted C2 panel, permitting the operators to view system particulars and problem over 40 instructions remotely to hold out quite a lot of data-gathering duties.
“Nebulous Mantis operates as a classy menace group using a multi-phase intrusion methodology to achieve preliminary entry, execution, persistence, and information exfiltration,” the corporate mentioned.
“All through the assault lifecycle, Nebulous Mantis displays operational self-discipline in minimizing their footprint, rigorously balancing aggressive intelligence assortment with stealth necessities, suggesting both state-sponsored backing or skilled cybercriminal group with important assets.”
The disclosure comes weeks after PRODAFT uncovered a ransomware group named Ruthless Mantis (aka PTI-288) that focuses on double extortion by collaborating with affiliate applications, corresponding to Ragnar Locker, INC Ransom, and others.
Led by a menace actor dubbed LARVA-127, the financially motivated menace actor makes use of an array of authentic and customized instruments to facilitate every section of the assault cycle: discovery, persistence, privilege escalation, protection evasion, credential harvesting, lateral motion, and C2 frameworks like Brute Ratel c4 and Ragnar Loader.
“Though Ruthless Mantis consists of extremely skilled core members, additionally they actively combine newcomers to repeatedly improve the effectiveness and pace of their operations,” it mentioned.
“Ruthless Mantis has considerably expanded its arsenal of instruments and strategies, offering them with state-of-the-art assets to streamline processes and increase operational effectivity.”
