Roma225 Campaign by Gorgon Group

Delaware, USA – January 4, 2019 – A recently published research by Cybaze-Yoroi ZLab experts informs about details of Roma225 campaign that targeted the Italian automotive sector. Cyberespionage malware intruded into infrastructure through phishing email making victims believe its a legitimate PowerPoint Presentation from the senior partner.

Their bad luck was that the .ppa file contained malicious VBA macro which downloaded and executed the next-stage dropper from Blogpost web page that installed RevengeRAT as a final payload. Once executed, the remote access trojan immediately contacts one of the hard-coded command and control servers sending information about victim machine via TCP connection.

The researchers attribute Roma225 campaign to the Gorgon Group who started performing attacks back in year 2018 and succeeded in their previous practice targeting governmental organizations in the United Kingdom, Spain, Russia, and the United States. In addition to the RevengeRAT, there are several other trojans and infostealers such as NjRAT and LokiBot in the arsenal of the Pakistani group. The crew combines both regular crime and targeted attack objectives using the same domain infrastructure over time and balancing the lack of sophistication with high social engineering skills.

Rules to detect communications with attackers’ infrastructure and malicious files used in Roma225 campaign:
https://tdm.socprime.com/tdm/info/1426/
https://tdm.socprime.com/tdm/info/1425/