The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent.
“This is the first time that a RomCom payload has been observed being distributed by SocGholish,” Arctic Wolf Labs researcher Jacob Faires said in a Tuesday report.
The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. According to the cybersecurity company, the targeted entity had worked for a city with close ties to Ukraine in the past.
SocGholish (aka FakeUpdates), linked to a financially motivated operator tracked as TA569 (aka Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543), serves as an initial access broker, allowing other threat actors to drop a wide range of payloads. Some of its known customers are Evil Corp, LockBit, Dridex, and Raspberry Robin.
The attack chains typically involve serving fake browser update alerts for Google Chrome or Mozilla Firefox on legitimate-but-compromised websites to trick unsuspecting users into downloading malicious JavaScript that’s responsible for installing a loader, which then fetches additional malware.
For the most part, the attacks single out websites that are poorly secured, taking advantage of known security vulnerabilities in plugins to inject JavaScript code that’s designed to display the pop-up and activate the infection chain.
RomCom (aka Nebulous Mantis, Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu), on the other hand, is the name assigned to a Russia-aligned threat actor that’s known to dabble in both cybercrime and espionage operations since at least 2022.
The threat actor leverages several methods, including spear-phishing and zero-day exploits, to breach target networks and drop the eponymous remote access trojan (RAT) on victim machines. Attacks mounted by the hacking group have singled out entities in Ukraine, as well as NATO-related defense organizations.
In the attack analyzed by Arctic Wolf, the fake update payload allows the threat actors to run commands on the compromised machine by means of a reverse shell established to a command-and-control (C2) server. This includes conducting reconnaissance and dropping a custom Python backdoor codenamed VIPERTUNNEL.
Also delivered is a RomCom-linked DLL loader that launches the Mythic Agent, a crucial component of the cross-platform, post-exploit, red teaming framework that communicates with a corresponding server to support command execution, file operations, and others.
While the attack was ultimately unsuccessful and was blocked before it could progress any further, the development shows the RomCom threat actor’s continued interest in targeting Ukraine or entities providing assistance to the country, no matter how tenuous the connection may be.
“The timeline from infection via [the fake update] to the delivery of RomCom’s loader was less than 30 minutes,” Jacob Faires said. “Delivery is not made until the target’s Active Directory domain has been verified to match a known value provided by the threat actor.”
“The widespread nature of SocGholish attacks and the relative speed at which the attack progresses from initial access to infection makes it a potent threat to organizations worldwide.”