The Ukrainian authorities have posted data warning of a brand new ransomware marketing campaign in opposition to organizations within the war-torn nation.
In a short discover, the Ukrainian CERT stated it had found phishing emails spoofed to look as if despatched from the “Press Service of the Common Employees of the Armed Forces of Ukraine.”
If recipients fall for the rip-off and click on on the hyperlink contained within the e mail, they’ll be taken to an internet web page and urged to obtain a brand new model of PDF Reader. Doing so will set off a malicious executable, the CERT-UA warned.
“Working the talked about file will, because of this, decode and run the ‘rmtpak.dll’ file. The latter is assessed as a RomCom malware,” it defined.
RomCom was first uncovered by Palo Alto Networks again in August.
It linked the distant entry Trojan (RAT) to a brand new Cuba ransomware affiliate dubbed “Tropical Scorpius,” noting that the malware permits menace actors to carry out a spread of post-intrusion capabilities together with knowledge exfiltration.
The affiliate seems to have been a serious driver of Cuba ransomware infections, accounting for practically half of the victims uncovered on the group’s leak web site between 2019 and summer time 2022.
“As of July 2022, Tropical Scorpius has used Cuba ransomware to affect 27 extra organizations throughout a number of vectors, comparable to skilled and authorized providers, state and native authorities, manufacturing, transportation and logistics, wholesale and retail, actual property, monetary providers, healthcare, excessive expertise, utilities and vitality, building, and schooling,” Palo Alto stated on the time.
That would appear to recommend that the present marketing campaign in Ukraine is primarily financially motivated, moderately than coordinated with Russian state targets in thoughts.
“Contemplating the usage of the RomCom backdoor, in addition to different options of the associated recordsdata, we consider it’s attainable to affiliate the detected exercise with the exercise of the group Tropical Scorpius aka UNC2596, which is chargeable for the distribution of Cuba ransomware,” CERT-UA confirmed.
A Cuba ransomware assault on the tiny Balkan nation of Montenegro on the finish of August was initially blamed by its authorities on the Kremlin. Nevertheless, the NATO member subsequently appeared to row again from these claims.
