RomCom’s RAT continues to mainly target Ukraine, but it appears to have widened its net to include English-speaking countries like the UK. Per the intelligence team, this is based on the terms of service of the two spoofed sites used in the campaign, and the SSL certificates of its new command-and-control (C2) server.
BlackBerry also asserts that the ongoing RomCom campaigns aren’t purely motivated by cybercrime, given the targeted countries and the current situation among countries in relation to the Russia-Ukraine invasion.
The research explains that RomCom uses phishing to spread. Before conducting a phishing attack, RomCom threat actors scrape a legitimate software vendor’s website they want to impersonate, register a similar domain, and then create a Trojan by bundling their malicious code into a legitimate copy of the company’s software. This bundled file is then uploaded to the fake site so that threat actors can send phishing emails that point to it.
For example, according to BlackBerry, threat actors registered the very respectable
keepass.org domain in order to impersonate the real
domain. While the old anti-phishing advice of looking out for spelling mistakes and obviously fake domains still holds true, it isn’t, and has never been, a guarantee of success. Criminals can produce perfectly realistic websites and create realistic domains. It’s difficult to imagine anyone who isn’t intimately familiar with KeePass spotting that the .org domain was a fake.
The RomCom RAT appears to be connected with Cuba Ransomware (aka COLDRAW) and Industrial Spy, two ransomware groups. Cuba Ransomware has been around since December 2019. while Industrial Spy is a relatively new group that emerged in April 2022.
Businesses of all sizes can protect themselves by using a defence in depth approach to security. Threats like RomCom RAT can sometimes be avoided by training employees on how to better identify and respond to phishing campaigns.
However, businesses should also make room for error. Deciding which links to avoid is not a science. That’s where layers of defence come in: Browser extensions like BrowserGuard can prevent users from accessing phishing sites, and trusted and effective antimalware software like Malwarebytes Endpoint Protection, installed in every endpoint, can stop malicious software from running.
Checkout BlackBerry’s research for a full list of Indicators of Compromise.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.