RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine

MITRE Techniques

• [T1566.002] Spearphishing Link – The fake domain and cloned website approach aligns with targeted phishing that directs victims to a Trojanized installer. Quote: “previous RomCom attacks used targeted phishing emails to point a victim to a cloned website hosting Trojanized versions of popular software.”
• [T1189] Drive-by Compromise – Initial access via a faked/cloned website and typosquatting used to imitate legitimate sites. Quote: “The fake domain utilized a form of typosquatting to attempt to appear as close to the real one as possible.”
• [T1598.002] Acquire Infrastructure – C2 and hosting infrastructure used to support RomCom operations (e.g., rdp-devolutions.com hosting, startleague.net as C2). Quote: “The domain rdp-devolutions[.]com is to host RomCom’s cloned website, both hosting and delivering a Trojanized/fake version of the Devolutions’ Remote Desktop Manager software.”
• [T1218] Signed Binary Proxy Execution – The Trojanized installer is executed via RunDLL32, enabling stealthy execution of the payload. Quote: “The core RomCom binary is executed via the Windows host process RunDLL32 in the background.”
• [T1036] Masquerading – The Trojanized installer masquerades as legitimate software with a valid digital signature. Quote: “The Trojanized main setup file… is signed by an in-date digital signature.”
• [T1027] Obfuscated/Compressed Files and Information – RomCom uses obfuscation to thwart static analysis. Quote: “improvements were made to its obfuscation to thwart static analysis.”
• [T1071.001] Web Protocols – C2 communication over HTTP via WinHTTP, as evidenced by statements like “Request sent via the WinHTTP API.”
• [T1082] System Information Discovery – After installation, RomCom enumerates host/user data to send to C2. Quote: “enumerate the infected host and gather some basic host and user metadata.”