Attackers have been using Google ads and phishing emails to redirect clicks to the spoofed sites, where MSI installers with the malicious “InstallA.dll” file could be downloaded, a Trend Micro report showed.
Such a DLL file facilitates the extraction of three other DLLs to the “%PUBLIC%Libraries” folder in charge of command-and-control functions. Further investigation revealed that more than 20 malicious commands have been added to the latest version of the RomCom malware, bringing the total number of commands to 42, some of which facilitate the download of various stealer components.
RomCom was also noted to have improved evasion capabilities enabled by the VMProtect software, as well as encryption techniques and the use of null bytes in C2 communications.
