Cybersecurity researchers shed light on a Russian-speaking cyber-spanning group called Nebulate Mantis, which since mid-2012 has launched a remote access trojed called Romcom Rat Rat.
Romcom “uses additional evading methods, including tactics (Lotl) and encrypted command and control (C2), while constantly developing its infrastructure-Using bullet-permeable hosting to maintain persistence and detecting the detection Prodaft Prodaft Prodaft Prodaft Prodaft Prodaft Company Prodaft Prodaft Company Prodaft Prodaft Company Prostaft Company Prostaft Company Prostaft Company Prostaft – Note In a report that shared with Hacker News.
Nubulous Mantis, also tracked by the cybersecurity community under the names Cigar. Cube. Storm-0978, tropical scorpi, UNC2596and Invalid RabisAs you know, it focuses on important infrastructure, government agencies, political leaders and defense organizations related to NATO.
Attack chains set by the group usually involve the use of fishes with armed documents links to distribute Romcom Rat. Domains and command servers (C2) used in these companies NPP. The infrastructure is managed and purchased by the actor at the nickname of the larva-290.
The threatening actor is estimated at least in mid -2019, and the earlier iterations of the company provide a forklift for the malicious software forklift.
The first stage of DLL ROMCOM is designed to connect to the C2 server and download additional useful loads using an interplanetary file system (Ipfs) Located in domains controlled by the attackers, execute teams on the infected hoste and perform malicious C ++ software.
The final option also sets the connection with the C2 server to launch commands, as well as downloading and performing additional modules that can steal the webbrazer data.
“The threatening actor is performing the Tzutil team to determine the established temporary zone of the system,” said Praft. “This system of information about the system shows a geographical and operational context that can be used to coordinate the activity of the victim’s work time or to evade a certain time safety control.”
ROMCOM, besides manipulating the Windows register to customize the use of Comnex, equipped for the accounts, system intelligence, lateral movement and data collection, which are of interest, including files, credentials, configuration details, and Microsoft Outlook.
ROMCom options and victims are controlled by a special C2 panel, allowing operators to view devices and give more than 40 teams to perform various data collection tasks.
“Heaven Mantis acts as a complex group of threats that uses a multi-phase invasion methodology to gain initial access, execution, perseverance, and expressive data,” the company said.
“Throughout the life cycle of the attack, Mantis is manifested by the prompt discipline in minimizing its traces, carefully balanced the aggressive intelligence collection, believing that either the state is supported by the state or a professional cybercrime organization with significant resources.”
The disclosure of information occurs a few weeks after Prodaft has exposed a group called Wruchless Mantis (AKA PTI-288), which specializes in double extortion, collaborating with official programs such as Ragnar Locker, Inc redemption and others.
Under the guidance of the actor threatened, called larvae-127, the actor who is financially motivated Ragnar loader.
“Although the ruthless mantis consists of highly experienced major members, they also actively integrate beginners to constantly improve the efficiency and speed of their activity,” this is ” – Note.
“The closest Mantis has greatly expanded its tools and methods, providing them with modern resources to streamline processes and improving the efficiency.”
