The RomCom threat group is actively using trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro, to target various English-speaking countries — especially the UK — with a remote access Trojan (RAT). It's a departure in tactics, techniques, and procedures for the advanced persistent threat (APT).
During an analysis of a previous RomCom RAT campaign against the Ukraine military that used fake Advanced IP Scanner software to deliver malware, the threat research and intelligence team at BlackBerry discovered additional, more widespread campaigns being waged in other geolocations. The researchers determined the UK and other English-speaking countries were new RomCom targets based on the analysis of the terms of service and the SSL certificates of a new command-and-control server, which was registered in the UK.
Dmitry Bestuzhev, distinguished threat researcher with BlackBerry, tells Dark Reading that the UK is now actually one of the biggest RomCom targets, based on Blackberry's analysis.
"It's predictable, since the US and UK have been the most active supporters of Ukraine in the war with Russia," Bestuzhev says.
Once dropped, the RomCom RAT is designed to exfiltrate any sensitive data or passwords.
"Information is valuable, and when it's strategic, it helps the attacker build better offensive strategies and take advantage in any domain," Bestuzhev adds. "Geopolitics will set new targets. Since RomCom has been widely exposed, it's reasonable to believe the group behind it might change their TTPs."
This isn't the first shift in strategy for the group. "When RomCom was discovered, it was publicly associated with ransomware," Bestuzhev says. "The most recent campaigns prove that the motivation of this threat actor is not money. There is a geopolitical agenda that defines the new targets."
RomCom RAT's Wrap
The trojanizing scheme isn't terribly complicated, the BlackBerry team explained in its report.
RomCom scrapes the code from the software vendor the APT wants to use, registers a malicious domain that's likely to trick the user with typosquatting or similar tactics, trojanizes the real application, and then uploads the malware to the spoofed site. It then sends a phishing lure to the intended target through various channels, and boom — target compromised.
The wrapping approach isn't new, Andrew Barratt, vice president with Coalfire, tells Dark Reading; other APTs and groups like FIN7 have used similar tactics.
"This attack looks like it's a direct copycat of some attacks we investigated during the pandemic, where we saw a number of vendor products support tools being mimicked or 'wrapped' with malware," Barratt says. "The 'wrapping' process means that the underlying legitimate tool is still deployed, but as part of that deployment, some malware is dropped into the target environment."
RomCom Targeting Humans
To defend against RomCom attacks, Mike Parkin, senior technical engineer with Vulcan Cyber, recommends forgetting about the state espionage aspect of the campaign and instead focusing on social engineering and the true targets — individuals.
"With the current geopolitical situation, it's quite likely there is a state-level involvement behind the scenes. At its core, though, this is an attack against human targets," Parkin explains to Dark Reading. "They are primarily relying on victims being social engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface."