The RomCom RAT (remote access trojan) hacker has launched a new campaign impersonating the official websites of popular software brands SolarWinds, KeePass, and PDF Technologies to propagate malware.
Researchers from BlackBerry uncovered the malicious campaign while analyzing network artifacts linked with RomComRAT infections resulting from attacks targeting Ukrainian military institutions and some English-speaking nations including the United Kingdom.
According to Mike Parkin, senior technical engineer at Vulcan Cyber, given the targets and the nature of the attack, there's more than just a cybercriminal motivation in play. It's quite likely there’s state-level planning behind the scenes.
"At its core, though, this is an attack against human targets,” Parkin said. “They are primarily relying on victims being socially engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.”
The RomCom hacker installed clone websites on malicious domains similar to the legitimate ones that they registered. Subsequently, the threat actor trojanized a legitimate application and propagated via the decoy website, deploying targeted phishing emails to the victims. In some cases, the attackers used additional infector vectors.
The malicious campaign seems like a direct copycat of some attacks we examined during the pandemic where we witnessed a number of vendor products and support tools being impersonated or "wrapped" with malware, stated Andrew Barratt, vice president at Coalfire.
“The wrapping means that the underlying legitimate tool is still deployed, but as part of that deployment some malware is dropped into the target environment,” Barratt explained. “Major APTs like FIN7 have used these tactics in the past. Leveraging well-known brands that they have probably identified are in use gives an intruder a high possibility of a positive response by a user they mislead.”
Earlier this year in August, Palo Alto Networks’ Unit 42 linked the RomCom RAT with an affiliate of the Cuba Ransomware named 'Tropical Scorpius,' as this was the first actor to employ the malware with features like ICMP-based communications, commands for file manipulation, process hatching and spoofing, data exfiltration, and activating a reverse shell.
However, the BlackBerry researchers said that there was no evidence for that assumption, and its report mentions Cuba Ransomware and Industrial Spy as possibly related to RomCom RAT. Hence, it remains unclear who is behind RomCom RAT or what are the motives behind the attacks.
