U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

RomCom RAT campaigns abuses popular brands like KeePass and SolarWinds NPM

A new campaign spreading RomCom RAT impersonates popular software brands like KeePass, and SolarWinds. The threat actor behind the RomCom RAT (remote access trojan) has refreshed its attack vector and is now abusing well-known software brands for distribution. Researchers from BlackBerry uncovered a new RomCom RAT campaign impersonating popular software brands like KeePass, and SolarWinds. […]

RomCom RAT

A new campaign spreading RomCom RAT impersonates popular software brands like KeePass, and SolarWinds.

The threat actor behind the RomCom RAT (remote access trojan) has refreshed its attack vector and is now abusing well-known software brands for distribution.

Researchers from BlackBerry uncovered a new RomCom RAT campaign impersonating popular software brands like KeePass, and SolarWinds. The threat actors set up websites cloning the official download websites for SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro. The malware was masqueraded as legitimate applications from popular brands.

The attacks were spotted while analyzing network artifacts associated with RomComRAT infections resulting from attacks targeting Ukrainian military institutions.

“In our latest discovery, our team found RomCom leveraging the following products in their campaigns: SolarWinds Network Performance MonitorKeePass Open-Source Password Manager, and PDF Reader Pro.” reads the report published by BlackBerry.

The analysis of the terms of service (TOS) of two of the malicious websites and the SSL certificates of a newly created command-and-control (C2) revealed that The attacks continue to target Ukraine along with English-speaking countries, including the United Kingdom.

The geography of the targets and the current geopolitical situation suggests the attacks were carried out by a nation-state actor.

The RomCom threat actor deployed clone websites on malicious domain similar to the legitimate one that they registered. Then they trojanizing a legitimate application and distributed it through the decoy website, deploying targeted phishing emails to the victims. In some cases, the attackers used additional infector vectors.

RomCom RAT

Attackers included into the tainted app a malicious DLL used to downloads and execute an instance of the RomCom RAT from the “C:\Users\user\AppData\Local\Temp\winver.dll” location.

The executable downloaded as part of the SolarWinds Network Performance Monitor campaign, “Solarwinds-Orion-NPM-Eval.exe”, is signed with the same digital certificate used in the attacks against Ukrainian entities.

In the KeePass RomCom campaign threat actors distributed an archive named “KeePass-2.52.zip” containing the RomCom RAT dropper (“hlpr.dat”) and the setup.exe used to execute the dropper.

In another attack abusing the KeePass brand the attackers set up a clone website in the Ukrainian language.

The researchers speculate a link with other extortion groups like Cuba Ransomware and Industrial Spy gangs.

“The RomCom threat actor is actively deploying new campaigns targeting victims in Ukraine and English-speaking targets worldwide. Based on the TOS, it is possible that victims in the United Kingdom are a new target, while Ukraine continues to be the main focus.” concludes the report. “RomCom RAT, Cuba Ransomware, and Industrial Spy have an apparent connection.” 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RomCom RAT)

[adrotate banner=”5″]

[adrotate banner=”13″]