Romcom Malware Spread via Google Ads for ChatGPT, GIMP, more (June 8, 2023)

Ref# AL2023_45 | Date: Jun 8th 2023

Description  

A new campaign distributing the RomCom backdoor malware is impersonating well-known websites or fictional software, tricking users into downloading and launching malicious installers. Researchers report that the threat actors behind the malware have escalated its evasion by using payload encryption and obfuscation and expanded the tool”s capabilities by introducing new and powerful commands. 

Most websites used for distributing RomCom to victims concern remote desktop management applications, which increases the likelihood of attackers employing phishing or social engineering to approach their targets. 

Details 

The first documented use of RomCom wasreported in August 2022by Palo Alto Networks, attributing the attacks to a Cuba ransomware by the name “Tropical Scorpius.”  

Asubsequent BlackBerry reportin November 2022 illustrated how RomCom impersonated legitimate software, including SolarWinds Network Performance Monitor (NPM), the KeePass password manager, and PDF Reader Pro. Trend Micro”s report on the latest RomCom activity lists several examples of websites used by the malware operators between December 2022 and April 2023 that impersonate legitimate software, like Gimp, Go To Meeting, ChatGPT, WinDirStat, AstraChat, System Ninja, Devolutions” Remote Desktop Manager, and more.  

Some of the malicious sites used in the said time period are: 

  1. gllmp.com (offline) Impersonates the free and open-source image editor 

  1. gotomeet.us (offline) Impersonates the cloud video meeting and conferencing app 

  1. singularlabs.org (offline) Impersonates a PC-cleaning tool 

  1. chatgpt4beta.com (online) Impersonates the AI-powered chatbot platform 

  1. astrachats.com (offline) Impersonates the secure chat software 

  1. devolutionrdp.com (online) Impersonates a remote desktop management tool 

  1. cozy-sofware.com (offline) Impersonates a remote desktop management tool 

  1. vectordmanagesoft.com (offline) – Impersonates a remote desktop management tool 

  1. devolrdm.com (online) – Impersonates a remote desktop management tool 

  1. dirwinstat.com (online) Impersonates a disk usage viewer and cleanup tool 

These fake sites are promoted through Google advertisements and highly targeted phishing emails, with most of the victims based in Eastern Europe. The websites distribute MSI installers that impersonate these apps but contain a malicious DLL file (InstallA.dll). This file extracts another three DLLs onto the victim”s %PUBLIC%Libraries folder, which handles command and control server communications and command execution. 

The latest version of the RomCom payload analyzed by Trend Micro shows that its authors have worked towards implementing additional malicious commands, with their number of commands growing from 20 to 42. 

Some of the highlighted commands that can be pushed to a device infected with RomCom are: 

  • Startcmd.exe 

  • Drop a file onto the victim”s computer to introduce more payloads. 

  • Spawn a process with PID spoofing to make it appear legitimate. 

  • Exfiltrate data from the compromised system. 

  • Set up a proxy via SSH. 

  • Update the malware on the device. 

  • Run AnyDesk on a hidden window. 

  • Compress a given folder and send it to the attackers” server. 

These commands already give the attackers extensive capabilities, but the cybersecurity company reports having seen several cases of additional malware payloads being installed through RomCom. Stealer components downloaded by RomCom on compromised devices include: 

  • PhotoDirector.dll A screenshot-snapping tool that compresses images in ZIP archives for exfiltration. 

  • procsys.dll A web browser (Chrome, Firefox, Edge) cookies stealer. 

  • wallet.exe A cryptocurrency wallet stealer. 

  • msg.dll An instant messenger chat stealer. 

  • FileInfo.dll An FTP credentials stealer that uploads data to an FTP server. 

RomCom”s authors now use the VMProtect software for code protection and anti-VM capabilities. Also, it uses encryption for the payload and null bytes in its C2 communication to evade detection from network monitoring tools. 

Finally, the software downloaded from the malicious websites is signed by seemingly legitimate companies supposedly based in the U.S. and Canada, the websites of which are filled with fake or plagiarized content. RomCom has been associated with ransomware, espionage, and warfare, and the exact goals of its operators remain murky. It is a versatile threat that can cause significant damage. 

Indicators of Compromise 

For a full list of IOCs associated with RomCom, please see the URL below: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/e/void-rabisu%E2%80%99s-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors%E2%80%99-goals-/ioc-list-void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.txt 

Remediation 

  1. Do not open emails from unknown senders and interact with its contents such as attachments. 

  1. Do not download software and install applications from unknown sources. 

  1. Install a reputable antivirus and perform system scans on a regular basis. 

  1. Backup important data and store it on a different source such as an external hard drive for safe keeping. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Romcom Malware Spread via Google Ads for ChatGPT, GIMP, more.pdf

References