Roma225 Malware

Researchers at Cybaze-Yoroi ZLab identified an espionage campaign targeting the automotive industry in Italy.

The malware used in this campaign was distributed via a phishing email. It attempts to entice a victim into believing it is legitimate, suggesting that it is from a senior partner at the Brazilian law firm “Veirano Advogados”. The actual malware is disguised as a Microsoft Power Point presentation that contains auto-open VBA macro code. Once initiated, it will download and execute the next stage of the dropper, then ultimately RevengeRAT. For full technical details, refer to Yoroi’s article.

Indicators of Compromise

Dropurl:

  • https://minhacasaminhavidacdt.blogspot.com
  • https://pocasideiascdt.blogspot.com/
  • http://cdtmaster.com.br
  • 177.85.98.242

C2 (RevengeRAT):

  • office365update.duckdns.org
  • 184.75.209.169
  • systen32.ddns.net
  • 138.36.3.228

Persistency:

HKCU\AppEvents\<”Values”>

SHA-256:

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: