Cybersecurity researchers have discovered a new malvertising campaign that is spreading RomCom malware. The campaign involves creating fake websites for legitimate software and then using ad-space via Google’s ad network to promote them. Additionally, the attackers have been engaging in highly targeted phishing attacks. Victims of the campaign are downloading MSI installers trojanized by a malicious DLL file called InstallA.dll, which drops three more DLLs onto the target device. RomCom malware is a backdoor that can take screenshots from the compromised device, steal cookies, cryptocurrency wallet data, chat messages, login credentials and passwords. The malware can do all sorts of malicious things, from compressing and sending folders to hackers’ servers to running cmd.exe. The report states that the malware can cause significant damage, depending on the campaign.
Devolution’s Remote Desktop Manager is among the software the attackers created a fake website for. Devolution is a Canadian-based company that provides remote access solutions for businesses.
TrendMicro’s cybersecurity researchers discovered the new malvertising campaign, which was discovered spreading RomCom malware.