RomCom threat actor campaigns spoof SolarWinds, KeePass, and PDF Reader Pro to deliver RomCom RAT, focusing on Ukraine with possible targets in the United Kingdom. Researchers note connections to Cuba Ransomware and Industrial Spy, while clarifying that vendors were not compromised and legitimate companies are not involved. #RomCom #RomComRAT #SolarWinds #KeePass #PDFReaderPro #CubaRansomware #IndustrialSpy #UnitedKingdom #Ukraine
Keypoints
- RomCom campaigns impersonate SolarWinds Network Performance Monitor, KeePass, and PDF Reader Pro to drop RomCom RAT.
- Ukraine remains the primary target; some English-speaking countries, including the United Kingdom, are also targeted.
- The attack chain includes spoofing legitimate sites, Trojanizing apps, malicious bundles, and targeted phishing emails.
- SolarWinds campaign uses a Trojanized SolarWinds NPM bundle (Solarwinds-Orion-NPM-Eval.zip) with embedded RomCom RAT components and a stolen/dubious code-signing certificate.
- KeePass campaign drops KeePass-2.52.zip via a fake KeePass.org site, with Setup.exe launching the RomCom RAT dropper.
- A new C2 domain and UK-appearing SSL certificates indicate expansion of infrastructure, with ties to Cuba Ransomware and Industrial Spy mentioned.
- IoCs include specific file names and hashes for Solarwinds-Orion-NPM-Eval.zip, KeePass-2.52.zip, and RomCom components, plus a domain (combinedresidency.org) used as C2.
MITRE Techniques
- [T1566.001] Phishing – Brief description: the campaigns deploy targeted phishing emails to victims. – “deploying targeted phishing emails to the victims.”
- [T1036] Masquerading – Brief description: Trojanizing a legitimate application to resemble trusted software. – “Trojanizing a legitimate application” and “a Trojanized version of the SolarWinds Network Performance Monitoring (NPM) application.”
- [T1116] Code Signing – Brief description: attackers use a valid or suspicious code-signing certificate to sign malicious payloads. – “The ‘Solarwinds-Orion-NPM-Eval.exe’ contains a digital certificate from ‘Wechapaisch Consulting & Construction Limited.’”
- [T1218.011] Signed Binary Proxy Execution – Brief description: the dropper uses a signed binary proxy to execute the RomCom RAT. – “This DLL invokes ‘rundll32.exe’ and runs the ‘fwdTst’ export, which drops x64 RomCom RAT…”
- [T1071.001] Web Protocols – Brief description: command and control communications over web protocols, including SSL/TLS. – “SSL certificates that emulate UK ownership” indicating C2 over SSL.
Indicators of Compromise
- [File Name] context – Solarwinds-Orion-NPM-Eval.zip, KeePass-2.52.zip (and other RomCom artifacts observed in the campaign)
- [MD5] 7C003B4F8B3C0AB0C3F8CB933E93D301, 1a21a1e626fd342e794bcc3b06981d2c
- [SHA256] 246DFE16A9248D7FB90993F6F28B0EBE87964FFD2DCDB13105096CDE025CA614, 596eaef93bdcd00a3aedaf6ad6d46db4429eeba61219b7e01b1781ebbf6e321b
- [File Name] RomCom RAT Dropper, RomCom RAT Launcher (Setup.exe), RomCom RAT Payload
- [MD5] CB933F1C913144A8CA6CFCFD913D6D28, 6310A2063687800559AE9D65CFF21B0A, 4E4ECA58B896BDB6DB260F21EDC7760A
- [SHA256] AC09CBFEE4CF89D7B7A755C387E473249684F18AA699EB651D119D19E25BFF34, F7013CE417FCBA0F36C4B9BF5F8F6E0E2B14D6ED33FF4D384C892773508E932E, ABE9635ADBFEE2D2FBAEA140625C49ABE3BAA29C44FB53A65A9CDA02121583EE
- [Domain] combinedresidency.org – C2 domain used by RomCom
Read more: https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass