The RomCom menace group is actively utilizing trojanized variations of in style software program merchandise, together with SolarWinds Community Efficiency Monitor, KeePass Open-Supply Password Supervisor, and PDF Reader Professional, to focus on numerous English-speaking international locations — particularly the UK — with a distant entry Trojan (RAT). It is a departure in techniques, strategies, and procedures for the superior persistent menace (APT).
Throughout an evaluation of a earlier RomCom RAT marketing campaign towards the Ukraine army that used pretend Superior IP Scanner software program to ship malware, the menace analysis and intelligence workforce at BlackBerry found extra, extra widespread campaigns being waged in different geolocations. The researchers decided the UK and different English-speaking international locations have been new RomCom targets primarily based on the evaluation of the phrases of service and the SSL certificates of a brand new command-and-control server, which was registered within the UK.
Dmitry Bestuzhev, distinguished menace researcher with BlackBerry, tells Darkish Studying that the UK is now really one of many greatest RomCom targets, primarily based on Blackberry’s evaluation.
“It is predictable, because the US and UK have been essentially the most lively supporters of Ukraine within the struggle with Russia,” Bestuzhev says.
As soon as dropped, the RomCom RAT is designed to exfiltrate any delicate knowledge or passwords.
“Data is efficacious, and when it is strategic, it helps the attacker construct higher offensive methods and take benefit in any area,” Bestuzhev provides. “Geopolitics will set new targets. Since RomCom has been broadly uncovered, it is affordable to consider the group behind it’d change their TTPs.”
This is not the primary shift in technique for the group. “When RomCom was found, it was publicly related to ransomware,” Bestuzhev says. “The latest campaigns show that the motivation of this menace actor shouldn’t be cash. There’s a geopolitical agenda that defines the brand new targets.”
RomCom RAT’s Wrap
The trojanizing scheme is not terribly difficult, the BlackBerry workforce defined in its report.
RomCom scrapes the code from the software program vendor the APT desires to make use of, registers a malicious area that is prone to trick the consumer with typosquatting or comparable techniques, trojanizes the true utility, after which uploads the malware to the spoofed website. It then sends a phishing lure to the supposed goal by means of numerous channels, and increase — goal compromised.
The wrapping method is not new, Andrew Barratt, vice chairman with Coalfire, tells Darkish Studying; different APTs and teams like FIN7 have used comparable techniques.
“This assault appears to be like prefer it’s a direct copycat of some assaults we investigated in the course of the pandemic, the place we noticed a variety of vendor merchandise help instruments being mimicked or ‘wrapped’ with malware,” Barratt says. “The ‘wrapping’ course of signifies that the underlying professional device remains to be deployed, however as a part of that deployment, some malware is dropped into the goal surroundings.”
RomCom Focusing on People
To defend towards RomCom assaults, Mike Parkin, senior technical engineer with Vulcan Cyber, recommends forgetting in regards to the state espionage facet of the marketing campaign and as a substitute specializing in social engineering and the true targets — people.
“With the present geopolitical scenario, it is fairly seemingly there’s a state-level involvement behind the scenes. At its core, although, that is an assault towards human targets,” Parkin explains to Darkish Studying. “They’re primarily counting on victims being social engineered by means of e-mail to go to a malicious website disguised as a professional one. That makes the customers the primary line of protection, in addition to the first assault floor.”
