RomCom RAT impersonates websites to spread malware (7th November 2022)

Ref# AL2022_72 | Date: Nov 7th 2022

Description  

The threat actors behind the RomCom Remote Access Trojan (RAT) campaign were recently seen producing clones of official websites for SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro, using these websites to deliver their RAT malware disguised in legitimate programs. 

Summary 

Researchers at Blackberry discovered a new campaign by the RomCom threat actors that seemingly created clone websites to deliver their RAT malware. The three websites cloned were SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro. Additionally, Unit 42 from Palo Alto Networks discovered another website that was impersonated, the Veeam Backup and Recovery software. The threat actors managed to spoof the original HTML code for the websites which makes it almost impossible to tell the difference between the original and the fake website. Even similar domain names were registered to make the malicious site seem authentic.  

The clone SolarWinds NPM website is used to deliver a trojanized version of the free trial of the software. The threat actors went so far as to link their website to the official SolarWinds registration form that can be used to contact a SolarWinds customer support agent. The software downloaded is a legitimate copy of SolarWinds but has been modified to include a malicious Dynamic-Link Library (DLL) file that downloads and executes the RomCom RAT.  

For the clone KeePass website, the threat actors distribute the legitimate KeePass software bundled with their RAT in the ZIP file KeePass-2.52.zip. It includes hlpr.dat, which is the RomCom RAT dropper and the launch process that executes the RAT, which is embedded into the setup.exe executable meant to install the KeePass software.  

A second clone KeePass website was also discovered in the Ukrainian language along PDF Reader Pro, also in Ukrainian. Researchers have stated that the RomCom threat actors originally targeted military institutions in the Ukraine hence the clone Ukrainian websites. However, the threat actors have seemingly shifted their target worldwide, more notably the United Kingdom.  

Indicators of Compromise: 

For a list of IOCs related to this malware campaign, follow the URL for related IP addresses, URLs and hashes: https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass 

Remediation  

To circumvent this type of malware campaign, users are advised to follow the steps below: 

  1. When visiting a website, always double-check the Uniform Resource Locator (URL) of that website for spelling errors or anything suspicious. The RomCom threat actors try to spoof the URL to be as close as possible to the original, but it can be noticed if examined carefully. For example, the original URL for KeePass is keepass.info and the fake URL is keepas.org.  

  1. Always scan files downloaded from the internet with a reputable anti-virus solution. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.    

PDF Download: RomCom RAT impersonates websites to spread malware.pdf

References