RomCom RAT campaigns—likely a nation-state or linked actor—have been highly active since early 2022, targeting Ukraine-related figures and NATO-related events while evolving tactics to evade detection. The report provides behavioral detection tips, Sigma rules, and IoCs to help defenders monitor RomCom’s operations, including NATO summit-related activity and healthcare-targeted campaigns.
Keypoints
- The RomCom campaign appears to be linked to a nation-state or state-affiliated actor and has intensified since Russia’s invasion of Ukraine.
- Campaigns targeted Ukraine politicians and U.S.-based healthcare organizations aiding Ukrainian refugees, including a NATO summit-focused operation.
- The threat uses Trojanized legitimate apps, fake Remote Desktop Manager drops, and melted binaries to deliver payloads.
- Indicators of compromise include specific file paths (e.g., Public Libraries), .tmp and .dll artifacts, and Sysmon events shown in the report.
- Persistence and defense-evasion techniques include COM hijacking (PSFactoryBuffer), DLL loading from unusual paths, and Run keys/Windows services for startup.
- Detection content includes Sigma rules, YARA rules, and practical IoCs to aid defenders, including a NATO-summitfocused loader and stage payloads.
MITRE Techniques
- [T1598.002] Acquire Infrastructure – Weaponization and Technical Overview:
“Weapons, Exploits, Malicious OLE, Trojanized legitimate applications, x64 DLL payloads” … to support operations; weaponization context described in the report. - [T1189] Drive-by Compromise – Initial access via social engineering and spear-phishing:
“The group was observed deploying a range of techniques, from spreading through melted (Trojanized) applications via social engineering, to spear-phishing emails sent to people attending the last NATO summit in Vilnius.” - [T1218] Signed Binary Proxy Execution – Use of signed binary proxy execution techniques (e.g., DLL loading via legitimate system executables):
“The use of Rundll32.exe to load Dynamic Link Libraries (DLLs) is not a common behavior observed in RomCom campaigns.” - [T1204] User Execution – Victim executes payloads leading to further payloads and file creation:
“Upon the user’s execution of the payload, a series of files are generated…” - [T1071] Web Protocols – Network communications to C2 over HTTP/Web protocols:
“HTTP GET request to hxxp://finformservice[.]com:80/api/v1.5/” - [T1057] Process Creation – Evidence of process creation events and parent-child relationships (Sysmon EventID 1):
“Sysmon event for the process creation with a parent process from PublicLibraries.” - [T1547] Boot or Logon Autostart Execution – Persistence via Run keys and services:
“SOFTWAREMicrosoftWindowsCurrentVersionRun … Windows Services under the group: C:WindowsSystem32svchost.exe -k DcomLaunch.” - [T1021] Remote Services – Execution/load activities involving remote service usage (Remote Desktop-related components):
“Installer.RemoteDesktopManager.2022.3.35.0.exe” and related installer context.
Indicators of Compromise
- [Hash] 6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d – Main melted binary used in the campaign
- [Hash] a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f – Additional associated binary
- [Hash] e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539 – Related artifact
- [File Name] Installer.RemoteDesktopManager.2022.3.35.0.exe – Main Trojanized installer in the Public Libraries path
- [File Name] Overview_of_UWCs_UkraineInNATO_campaign.docx – Document artifact linked to the NATO-focused campaign
- [IP] 65.21.27.250 – C2/resolution address observed by loader activity
- [Domain] finformservice.com – C2 domain resolved during loader activity
Read more: https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection