Full Report
Cybersecurity researchers have shed light on a Russian-speaking cyber espionage group called Nebulous Mantis that has deployed a remote access trojan called RomCom RAT since mid-2022. RomCom "employs advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications, while continuously evolving its infrastructure – leveraging
Analysis Summary
# Threat Actor: Nebulous Mantis
## Attribution & Identity
Russian-speaking cyber espionage group.
**Known Aliases:** CIGAR, Cuba, Storm-0978, Tropical Scorpius, UNC2596, Void Rabisu.
**Associated Infrastructure:** Infrastructure managed and procured by threat actor LARVA-290. The group is assessed to exhibit characteristics suggesting either state-sponsored backing or a professional cybercriminal organization with significant resources.
## Activity Summary
Active since at least mid-2019, with earlier iterations delivering the malware loader Hancitor. The current campaign, active since mid-2022, primarily focuses on distributing the RomCom RAT. Attack chains typically involve spear-phishing emails containing weaponized document links to distribute the initial RomCom RAT payload (a DLL). The activity reflects a sophisticated, multi-phase intrusion methodology aimed at intelligence collection while maintaining a minimal footprint.
## Tactics, Techniques & Procedures
- Spear-phishing emails with weaponized document links for initial access.
- Deployment of RomCom RAT for remote access.
- Use of Living-Off-The-Land (LOTL) tactics.
- Encrypted Command and Control (C2) communications.
- Infrastructure leveraging bulletproof hosting (BPH) for persistence and evasion.
- Initial-stage RomCom DLL connects to C2, downloads additional payloads using IPFS hosted on attacker-controlled domains, and executes the final-stage C++ malware.
- System information discovery, specifically executing the `tzutil` command to gather the system's time zone for operational timing.
- Persistence mechanism utilizing Windows Registry manipulation via COM hijacking.
- Credential harvesting.
- System reconnaissance and Active Directory enumeration.
- Lateral movement execution.
- Data collection, including browser data, configuration details, and Microsoft Outlook backups.
- Management via a dedicated C2 panel allowing over 40 remote commands.
## Targeting
- **Sectors:** Critical infrastructure, government agencies, political leaders, and NATO-related defense organizations.
- **Geography:** (Not explicitly detailed, but the actor is Russian-speaking and targeting NATO-related entities suggests geopolitical focus.)
- **Victims:** (No specific organizations mentioned.)
## Tools & Infrastructure
- **Malware Families Used:** RomCom RAT (primary tool since mid-2022), Hancitor (earlier loader).
- **Infrastructure (C2, domains, IPs):** C2 servers hosted on bulletproof hosting (BPH) services such as LuxHost and Aeza. Command execution utilizes IPFS hosted on attacker-controlled domains.
## Implications
Nebulous Mantis operates as a sophisticated, disciplined espionage group capable of deep infiltration and intelligence exfiltration against high-value targets. Their sustained use of advanced evasion techniques (LOTL, encrypted C2, BPH) makes detection challenging. The focus on critical infrastructure and defense organizations elevates this threat to a significant national security concern.
## Mitigations
- Implement robust email filtering and user training specifically targeting spear-phishing containing weaponized documents.
- Network monitoring for unusual outbound traffic patterns indicative of encrypted C2 or IPFS usage.
- Baseline and monitor Windows Registry for unauthorized COM hijacking persistence mechanisms.
- Employ tools capable of detecting Living-Off-The-Land (LOTL) abuses.
- Implement strong credential hygiene and multi-factor authentication, given the focus on credential harvesting and AD enumeration.