Roma225 Malware
Researchers at Cybaze-Yoroi ZLab identified an espionage campaign targeting the automotive industry in Italy.
The malware used in this campaign was distributed via a phishing email. It attempts to entice a victim into believing it is legitimate, suggesting that it is from a senior partner at the Brazilian law firm “Veirano Advogados”. The actual malware is disguised as a Microsoft Power Point presentation that contains auto-open VBA macro code. Once initiated, it will download and execute the next stage of the dropper, then ultimately RevengeRAT. For full technical details, refer to Yoroi’s article.
Indicators of Compromise
Dropurl:
- https://minhacasaminhavidacdt.blogspot.com
- https://pocasideiascdt.blogspot.com/
- http://cdtmaster.com.br
- 177.85.98.242
C2 (RevengeRAT):
- office365update.duckdns.org
- 184.75.209.169
- systen32.ddns.net
- 138.36.3.228
Persistency:
HKCU\AppEvents\<”Values”>
SHA-256:
- 4211e091dfb33523d675d273bdc109ddecf4ee1c1f5f29e8c82b9d0344dbb6a1
- e8a765ec824881e1e78defd7c011da735f3e3b954aaf93a4282b6455a1b9afcc
- 702e5cc9462e464c8c29c832fe0d1ecd5cd7740cc2cbceecfd70e566da8194a1
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.