Threat Research

RomCom RAT: Not Your Typical Love Story – K7 Labs

K7computing

Analysis of a RomCom RAT sample shows it was delivered by a digitally signed installer (signed by Noray Consulting Ltd), drops VMProtect-packed DLLs under C:UsersPublicLibraries, and uses multiple anti-analysis checks before contacting a C2 at startleauge.net. The malware performs XOR string decryption for configuration and filenames, abuses WinHTTP for proxy-aware C2 communication and file download, and performs local reconnaissance (file and process enumeration). #RomComRAT #NorayConsultingLtd #startleauge_net

Keypoints

  • The installer was digitally signed by Noray Consulting Ltd and drops RomCom payloads to C:UsersPublicLibraries.
  • Dropped DLLs are VMProtect-packed, indicating strong packing/obfuscation to hinder static analysis.
  • The binary performs multiple anti-analysis checks (PEB inspection, debugger timing via QueryPerformanceCounter, IsProcessorFeaturePresent) and uses locale checks to exit on zh-CN/zh-TW/ko-KR/ja-JP.
  • It sets environment variables to influence DLL loading order (DLL search order manipulation) and keeps configuration strings encrypted, using basic XOR decryption at runtime.
  • Network behavior: reads IE proxy via WinHttpGetIEProxyConfigForCurrentUser, decrypts C2 domain (startleauge.net), uses WinHTTP (WinHttpReadData) for C2 communication and file download.
  • Performs local reconnaissance (file enumeration via FindFirstFileA/FindNextFileA; process enumeration via CreateToolhelp32Snapshot + Process32First/Next) and checks RDP sessions using ProcessIdToSessionId.

MITRE Techniques

  • [T1497] Virtualization/Sandbox Evasion – uses PEB inspection and debugger checks to detect analysis (‘the malware accesses the Process Environment Block (PEB) using gs:60h… then the current process is checked if it is being run under a debugger.’).
  • [T1027] Obfuscated Files or Information – stores static configuration and strings encrypted and decrypts them at runtime (‘The malware keeps all the static data like url, client header, registry value, filename encrypted, which is decrypted as shown in Figure 11.’).
  • [T1574.002] DLL Search Order Hijacking – alters environment/DLL loading order to load DLLs from alternate locations (‘sample under consideration has the ability to set an Environment Variable… bypass the normal order of loading a DLL and loading it from another location.’).
  • [T1057] Process Discovery – enumerates running processes via CreateToolhelp32Snapshot and Process32FirstW/Process32NextW (‘It uses CreateToolhelp32Snapshot and then iterates through the process using Process32FirstW and Process32NextW which is used to list all the running processes.’).
  • [T1083] File and Directory Discovery – traverses filesystem with FindFirstFileA/FindNextFileA to collect filenames for exfiltration (‘It traverses the file system using FindFirstFileA, FindNextFileA and collects a list of filenames and sends it to C2.’).
  • [T1071.001] Application Layer Protocol: Web Protocols – communicates with C2 over HTTP(S)/web protocols using WinHTTP (‘WinHttpGetIEProxyConfigForCurrentUser API is used… RomCom RAT uses WinHttpReadData API to download any file which is pushed by the C2.’).
  • [T1218] Signed Binary Proxy Execution – uses legitimate signed system binaries (rundll32.exe) for execution (‘Decrypted Rundll32 path – C:WindowsSystem32rundll32.exe’).
  • [T1041] Exfiltration Over C2 Channel – sends collected filenames/process lists to C2 and supports downloading payloads from C2 (‘collects a list of filenames and sends it to C2’ and ‘RomCom RAT uses WinHttpReadData API to download any file which is pushed by the C2.’).

Indicators of Compromise

  • [File Hashes] sample detections – 007A67BFA732084B3F8278B302BEF49E, 6F47723E5FC6E96AB5E9F96F6BC585FA, and 1 more hash
  • [C2 Domain] command-and-control – startleauge.net
  • [File Paths / Names] dropped files and utilities – C:UsersPublicLibraries (drop location), decrypted filename 3proxy.exe
  • [Packed DLL] VMProtect-packed DLL – netid7*.dll (high entropy / VMProtect)
  • [System Binary] signed/legitimate binary used – C:WindowsSystem32rundll32.exe (decrypted path)

RomCom’s execution flow begins with a signed installer that writes VMProtect-packed DLLs and executables into C:UsersPublicLibraries. At startup the sample accesses the Process Environment Block (PEB) and checks OS build fields, tests for debugger presence and timing anomalies using QueryPerformanceCounter, and calls IsProcessorFeaturePresent (argument 0x17) to detect specific processor features; it also reads GetOEMCP and exits if the locale matches zh-CN/zh-TW/ko-KR/ja-JP to avoid running in those environments. The malware can set environment variables to influence DLL loading and uses a basic XOR-based routine to decrypt static strings (examples in the original: encrypted filename -> decrypts to 3proxy.exe; encrypted rundll32 path -> decrypts to C:WindowsSystem32rundll32.exe).

For network and reconnaissance activity, RomCom reads the current user’s IE proxy settings via WinHttpGetIEProxyConfigForCurrentUser, decrypts its C2 hostname (startleauge.net), and communicates with the server using WinHTTP APIs (WinHttpReadData) to download pushed files. It performs local discovery by enumerating files with FindFirstFileA/FindNextFileA and processes with CreateToolhelp32Snapshot + Process32First/Process32Next, checks for active RDP sessions via ProcessIdToSessionId to possibly interact with logged-on sessions, and will retry C2 connections with sleep intervals if initial connections fail.

Read more: https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/