The RomCom risk group is actively utilizing trojanized variations of widespread software program merchandise, together with SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro, to focus on varied English-speaking nations — particularly the UK — with a distant entry Trojan (RAT). It’s a departure in techniques, methods, and procedures for the superior persistent risk (APT).
During an evaluation of a earlier RomCom RAT marketing campaign in opposition to the Ukraine navy that used pretend Advanced IP Scanner software program to ship malware, the risk analysis and intelligence staff at BlackBerry found extra, extra widespread campaigns being waged in different geolocations. The researchers decided the UK and different English-speaking nations had been new RomCom targets based mostly on the evaluation of the phrases of service and the SSL certificates of a brand new command-and-control server, which was registered within the UK.
Dmitry Bestuzhev, distinguished risk researcher with BlackBerry, tells Dark Reading that the UK is now truly one of many largest RomCom targets, based mostly on Blackberry’s evaluation.
“It’s predictable, because the US and UK have been probably the most lively supporters of Ukraine within the battle with Russia,” Bestuzhev says.
Once dropped, the RomCom RAT is designed to exfiltrate any delicate information or passwords.
“Information is efficacious, and when it is strategic, it helps the attacker construct higher offensive methods and take benefit in any area,” Bestuzhev provides. “Geopolitics will set new targets. Since RomCom has been extensively uncovered, it is affordable to imagine the group behind it’d change their TTPs.”
This is not the primary shift in technique for the group. “When RomCom was found, it was publicly related to ransomware,” Bestuzhev says. “The most up-to-date campaigns show that the motivation of this risk actor will not be cash. There is a geopolitical agenda that defines the brand new targets.”
RomCom RAT’s Wrap
The trojanizing scheme is not terribly difficult, the BlackBerry staff defined in its report.
RomCom scrapes the code from the software program vendor the APT needs to make use of, registers a malicious area that is prone to trick the consumer with typosquatting or comparable techniques, trojanizes the true utility, after which uploads the malware to the spoofed website. It then sends a phishing lure to the meant goal by way of varied channels, and increase — goal compromised.
The wrapping method is not new, Andrew Barratt, vice chairman with Coalfire, tells Dark Reading; different APTs and teams like FIN7 have used comparable techniques.
“This assault appears to be like prefer it’s a direct copycat of some assaults we investigated through the pandemic, the place we noticed numerous vendor merchandise assist instruments being mimicked or ‘wrapped’ with malware,” Barratt says. “The ‘wrapping’ course of signifies that the underlying respectable device continues to be deployed, however as a part of that deployment, some malware is dropped into the goal atmosphere.”
RomCom Targeting Humans
To defend in opposition to RomCom assaults, Mike Parkin, senior technical engineer with Vulcan Cyber, recommends forgetting concerning the state espionage side of the marketing campaign and as an alternative specializing in social engineering and the true targets — people.
“With the present geopolitical state of affairs, it is fairly possible there’s a state-level involvement behind the scenes. At its core, although, that is an assault in opposition to human targets,” Parkin explains to Dark Reading. “They are primarily counting on victims being social engineered by way of e-mail to go to a malicious website disguised as a respectable one. That makes the customers the primary line of protection, in addition to the first assault floor.”