New RomCom RAT Campaign Abusing Well-Known Software Brands
Threat Actors Have Cloned the Websites of KeePass, SolarWinds NPM, and Veeam.
Last updated on November 4, 2022
The RomCom RAT (remote access trojan) threat actor has launched a new campaign impersonating the official websites of well-known software brands to distribute malware.
Malware is disguised as a legitimate program on fake websites that imitate official download portals for SolarWinds Network Performance Monitor (NPM), KeePass password manager, PDF Reader Pro, and Veeam Backup and Recovery software.
Details about the Fake Websites
Typo-squat domains support the malicious clones that copy the HTML of the original site, giving them a boost of authenticity.
“The website that impersonates SolarWinds NPM delivers a trojanized version of the free trial and even links to an actual SolarWinds registration form that, if filled out by the victim, leads to being contacted by a real customer support agent”, according to BleepingComputer.
But the app downloaded from this site has been altered to include a malicious DLL that downloads and runs a copy of the RomCom RAT (remote access trojan) from a folder called “C:\Users\user\AppData\Local\Temp\winver.dll”.
BlackBerry researchers show that the downloaded executable (“Solarwinds-Orion-NPM-Eval.exe”) is signed with “Wechapaisch Consulting & Construction Limited”, the same digital certificate the RAT’s operators used previously, in attacks against military institutions in Ukraine.
Through the clone of the KeePass website, hackers are distributing an archive named “KeePass-2.52.zip” containing multiple files like “hlpr.dat”, RomCom RAT dropper, and “setup.exe”, to launch the dropper. After downloading the archive, the user is required to run Setup.exe manually.
Who is Behind RomCom RAT
It is still unclear who is behind RomCom RAT or what are the motives behind the attacks.
Unit 42 forwarded the theory that Tropical Scorpius, an affiliate of the Cuba Ransomware, was responsible for it. He was the first one who used the malware, that at that point was unknown, with features like ICMP-based communications, commands for file manipulation, process hatching and spoofing, data exfiltration, and activating a reverse shell
But the BlackBerry team said that there was no evidence for that assumption, and its report mentions Cuba Ransomware and Industrial Spy as possibly related to RomCom RAT.
Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.