The Mythic Agent was sent to a U.S.-based civil engineering company by the threat actors behind the RomCom malware family via a JavaScript loader called SocGholish.
“This is the first time that a RomCom payload has been observed being distributed by SocGholish,”
Arctic Wolf Labs researcher Jacob Faires reported.
Unit 29155 of Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation, or GRU, has been credited with the action with medium-to-high confidence. The cybersecurity firm claims that the targeted corporation formerly worked for a city with strong ties to Ukraine.
As an initial access broker, SocGholish (also known as FakeUpdates), associated with a financially motivated operator tracked as TA569 (also known as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543), enables other threat actors to dump a variety of payloads. Evil Corp, LockBit, Dridex, and Raspberry Robin are a few of its well-known clients.
To fool unwary users into downloading malicious JavaScript that installs a loader, which then retrieves further malware, the attack chains usually involve sending phony browser update notices for Google Chrome or Mozilla Firefox on genuine but infected websites.
The attacks often target weakly secured websites by exploiting known security flaws in plugins to include JavaScript code intended to display the pop-up and start the infection chain.
On the other hand, RomCom (also known as Nebulous Mantis, Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu) is the name given to a threat actor associated with Russia that has been involved in espionage and cybercrime since at least 2022.
The threat actor uses several techniques, such as spear-phishing and zero-day exploits, to sneak into target networks and infect victim computers with the Remote Access Trojan (RAT) of the same name. The hacker group’s attacks have targeted both NATO-affiliated defense agencies and entities in Ukraine.
Using a reverse shell connected to a command-and-control (C2) server, the threat actors in the attack examined by Arctic Wolf can execute commands on the compromised system due to the fake update payload. This entails carrying out reconnaissance and releasing a unique Python backdoor known as VIPERTUNNEL.