Heimdal
article featured image

Contents:

The RomCom RAT (remote access trojan) threat actor has launched a new campaign impersonating the official websites of well-known software brands to distribute malware.

Malware is disguised as a legitimate program on fake websites that imitate official download portals for SolarWinds Network Performance Monitor (NPM), KeePass password manager, PDF Reader Pro, and Veeam Backup and Recovery software.

Details about the Fake Websites

Typo-squat domains support the malicious clones that copy the HTML of the original site, giving them a boost of authenticity.

“The website that impersonates SolarWinds NPM delivers a trojanized version of the free trial and even links to an actual SolarWinds registration form that, if filled out by the victim, leads to being contacted by a real customer support agent”, according to BleepingComputer.

But the app downloaded from this site has been altered to include a malicious DLL that downloads and runs a copy of the RomCom RAT (remote access trojan) from a folder called “C:\Users\user\AppData\Local\Temp\winver.dll”.

New RomCom RAT Campaign Abusing Well-Known Software Brands

Fake SolarWinds website

Source

BlackBerry researchers show that the downloaded executable (“Solarwinds-Orion-NPM-Eval.exe”) is signed with “Wechapaisch Consulting & Construction Limited”, the same digital certificate the RAT’s operators used previously, in attacks against military institutions in Ukraine.

Through the clone of the KeePass website, hackers are distributing an archive named “KeePass-2.52.zip” containing multiple files like “hlpr.dat”, RomCom RAT dropper, and “setup.exe”, to launch the dropper. After downloading the archive, the user is required to run Setup.exe manually.

Who is Behind RomCom RAT

It is still unclear who is behind RomCom RAT or what are the motives behind the attacks.

Unit 42 forwarded the theory that Tropical Scorpius, an affiliate of the Cuba Ransomware, was responsible for it. He was the first one who used the malware, that at that point was unknown, with features like ICMP-based communications, commands for file manipulation, process hatching and spoofing, data exfiltration, and activating a reverse shell

But the BlackBerry team said that there was no evidence for that assumption, and its report mentions Cuba Ransomware and Industrial Spy as possibly related to RomCom RAT.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo