RomCom Malware Woos Victims With Wrapped SolarWinds, KeePass Software

  /     /     /  
Publicated : 23/11/2024   Category : security


RomCom Malware Woos Victims With Wrapped SolarWinds, KeePass Software


An analysis of the RomCom APT shows the group is expanding its efforts beyond the Ukrainian military into the UK and other English-speaking countries.



The RomCom threat group is actively using trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro, to target various English-speaking countries — especially the UK — with a remote access Trojan (RAT). Its a departure in tactics, techniques, and procedures for the advanced persistent threat (APT).
During an analysis of a previous RomCom RAT campaign against the Ukraine military that used fake Advanced IP Scanner software to deliver malware, the threat research and intelligence team at BlackBerry discovered additional, more
widespread campaigns
being waged in other geolocations. The researchers determined the UK and other English-speaking countries were
new RomCom targets
based on the analysis of the terms of service and the SSL certificates of a new command-and-control server, which was registered in the UK.
Dmitry Bestuzhev, distinguished threat researcher with BlackBerry, tells Dark Reading that the UK is now actually one of the biggest RomCom targets, based on Blackberrys analysis.
Its predictable, since the US and UK have been the most active supporters of Ukraine in the war with Russia, Bestuzhev says.
Once dropped, the RomCom RAT is designed to exfiltrate any sensitive data or passwords.
Information is valuable, and when its strategic, it helps the attacker build better offensive strategies and take advantage in any domain, Bestuzhev adds. Geopolitics will set new targets. Since RomCom has been widely exposed, its reasonable to believe the group behind it might change their TTPs.
This isnt the first shift in strategy for the group. When RomCom was discovered, it was publicly associated with ransomware, Bestuzhev says. The most recent campaigns prove that the motivation of this threat actor is not money. There is a geopolitical agenda that defines the new targets.
The trojanizing scheme isnt terribly complicated, the BlackBerry team explained in its report.
RomCom scrapes the code from the software vendor the APT wants to use, registers a malicious domain thats likely to trick the user with typosquatting or similar tactics, trojanizes the real application, and then uploads the malware to the spoofed site. It then sends a phishing lure to the intended target through various channels, and boom — target compromised.
The wrapping approach isnt new, Andrew Barratt, vice president with Coalfire, tells Dark Reading; other APTs and
groups like FIN7
have used similar tactics.
This attack looks like its a direct copycat of some attacks we investigated during the pandemic, where we saw a number of vendor products support tools being mimicked or wrapped with malware, Barratt says. The wrapping process means that the underlying legitimate tool is still deployed, but as part of that deployment, some malware is dropped into the target environment.
To defend against RomCom attacks, Mike Parkin, senior technical engineer with Vulcan Cyber, recommends forgetting about the state espionage aspect of the campaign and instead focusing on social engineering and the true targets — individuals.
With the current geopolitical situation, its quite likely there is a state-level involvement behind the scenes. At its core, though, this is an attack against human targets, Parkin explains to Dark Reading. They are primarily relying on victims being social engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
RomCom Malware Woos Victims With Wrapped SolarWinds, KeePass Software