The Ukrainian authorities have posted information warning of a new ransomware campaign against organizations in the war-torn country.
In a brief notice, the Ukrainian CERT said it had discovered phishing emails spoofed to appear as if sent from the “Press Service of the General Staff of the Armed Forces of Ukraine.”
If recipients fall for the scam and click on the link contained in the email, they’ll be taken to a web page and urged to download a new version of PDF Reader. Doing so will trigger a malicious executable, the CERT-UA warned.
“Running the mentioned file will, as a result, decode and run the ‘rmtpak.dll’ file. The latter is classified as a RomCom malware,” it explained.
RomCom was first uncovered by Palo Alto Networks back in August.
It linked the remote access Trojan (RAT) to a new Cuba ransomware affiliate dubbed “Tropical Scorpius,” noting that the malware enables threat actors to perform a range of post-intrusion functions including data exfiltration.
The affiliate appears to have been a major driver of Cuba ransomware infections, accounting for nearly half of the victims exposed on the group’s leak site between 2019 and summer 2022.
“As of July 2022, Tropical Scorpius has used Cuba ransomware to impact 27 additional organizations across multiple vectors, such as professional and legal services, state and local government, manufacturing, transportation and logistics, wholesale and retail, real estate, financial services, healthcare, high technology, utilities and energy, construction, and education,” Palo Alto said at the time.
That would seem to suggest that the current campaign in Ukraine is primarily financially motivated, rather than coordinated with Russian state goals in mind.
“Considering the use of the RomCom backdoor, as well as other features of the related files, we believe it is possible to associate the detected activity with the activity of the group Tropical Scorpius aka UNC2596, which is responsible for the distribution of Cuba ransomware,” CERT-UA confirmed.
A Cuba ransomware attack on the tiny Balkan country of Montenegro at the end of August was initially blamed by its government on the Kremlin. However, the NATO member subsequently appeared to row back from those claims.