"The attack chains typically involve serving fake browser update alerts for Google Chrome or Mozilla Firefox on legitimate-but-compromised websites to trick unsuspecting users into downloading malicious JavaScript that's responsible for installing a loader, which then fetches additional malware. For the most part, the attacks single out websites that are poorly secured, taking advantage of known security vulnerabilities in plugins to inject JavaScript code that's designed to display the pop-up and activate the infection chain."
"The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. RomCom (aka Nebulous Mantis, Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu), on the other hand, is the name assigned to a Russia-aligned threat actor that's known to dabble in both cybercrime and espionage operations since at least 2022."
RomCom malware was delivered to a U.S. engineering firm via a SocGholish JavaScript loader that installed the Mythic Agent. The activity is attributed with medium-to-high confidence to Unit 29155 of the GRU; the targeted entity had worked for a city with ties to Ukraine. SocGholish (FakeUpdates), linked to TA569, acts as an initial access broker and enables other operators to deliver payloads. Attack chains use fake browser update alerts on compromised websites to trick users into downloading malicious JavaScript, exploiting plugin vulnerabilities to install loaders and fetch additional malware. RomCom is a Russia-aligned actor using spear-phishing and zero-day exploits to deploy a remote access trojan.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]