The threat actor responsible for the propagation of the RomCom RAT (remote access trojan) has updated his assault method and is now leveraging well-known tech brands. The RomCom threat actors were found developing websites that mimicked official download pages for PDF Reader Pro, KeePass password manager, and SolarWinds Network Performance Monitor (NPM) in a recent campaign that BlackBerry discovered. This effectively disguised the malware as trustworthy software.
Unit 42 also found that the threat actors established a website that poses as the Veeam Backup and Recovery tool. In addition to cloning the HTML code to replicate the real websites, the hackers also registered typo-squat “lookalike” names to give the fraudulent website even more legitimacy. The RomCom malware, which was employed in cyberattacks on Ukrainian military institutions, was previously discovered by BlackBerry.
The fake SolarWinds NPM website provides a trojanized version of the free trial. It even connects to a legitimate SolarWinds registration form, which, if completed by the user, results in a real customer care agent contacting them. A malicious DLL that downloads and launches a replica of the RomCom RAT from the “C:\Users\user\AppData\Local\Temp\winver.dll” folder has been added to the modified version of the downloaded app.
It’s interesting to note that the malware that was downloaded (“Solarwinds-Orion-NPM-Eval.exe”) is signed using the same digital certificate that the RAT’s operators used in their operation against Ukraine and whose owner is listed as “Wechapaisch Consulting & Construction Limited.” Threat actors are disseminating an archive called “KeePass-2.52.zip” in the instance of the KeePass copied site, which BlackBerry just learned about on November 1, 2022.
The RomCom RAT dropper “hlpr.dat” and its launcher “setup.exe” are among the files in the ZIP package, which also contains other items. The user is expected to run Setup.exe manually after downloading the files. BlackBerry’s researchers also found a second fake KeePass website and a PDF Reader Pro website, both in Ukrainian.
It suggests that while RomCom is still focusing on Ukraine, they have also expanded the target audience to include people who understand English. Although the exact method by which threat actors are enticing potential victims to the sites is not yet known, it may involve phishing, SEO poisoning, or postings on forums or social media.
According to Palo Alto Networks’ Unit 42, the RomCom RAT was used for the first time by Tropical Scorpius, a Cuba Ransomware affiliate, in August 2022. ICMP-based communications were supported by the at-the-time-unknown RomCom RAT virus, which also provided users with ten commands for file operations, process spawning and spoofing, data exfiltration, and starting a reverse shell.
According to BlackBerry’s earlier investigation of the incident, there was no conclusive evidence linking the RomCom RAT operation to any known threat actors. Although Industrial Spy and Cuba Ransomware are mentioned in the latest report as possibly being related to this operation, the objective of the RomCom operators is still unknown.