The threat actor known as RomCom has returned to the scene, targeting Ukrainian politicians and a healthcare organization in the United States involved with aiding refugees fleeing the war-torn country.
The deployment of this attack is through a trojanized version of Devolutions Remote Desktop Manager, which victims were likely encouraged to download after being directed to a cloned website through phishing tactics.
The threat group used a form of typosquatting to create a striking resemblance to the authentic site, according to the report from the BlackBerry Threat Research and Intelligence team.
By creating fake websites that closely resemble the legitimate software sites, RomCom can distribute malicious payloads to unsuspecting victims who download and install the compromised software, thinking it’s legitimate.
The trojanized installer begins installing malware after the user is prompted to select the destination path where they’d like the files to be installed. It then begins systematically collecting essential host and user metadata from the infected system, which is subsequently transmitted to its command-and-control (C2) server.
A Cyberattack With Geopolitical Motivations
The campaign strongly suggests that the motivation of this threat actor is not money, but rather a geopolitical agenda that is guiding its attack strategy and targeting methods.
Recon on what software targets use in order to deliver fake update notifications was part of the process, according to Dmitry Bestuzhev, senior director, CTI, BlackBerry. “In other words, the threat actor behind RomCom RAT relies on previous information about each victim, such as what software they use, how they use it, and the social or political programs they’re working on.”
The endgame is the exfiltration of sensitive information. “We saw RomCom targeting military secrets, such as unit locations, defensive and offensive plans, arms, [and] military training programs,” Bestuzhev notes.
He says with the US-based healthcare providing aid to the refugees from Ukraine, the targeted information included how that program works to determine who the refugees are — that includes the refugees’ personal information, which can be used for further attacks.
A RomCom You Haven’t Seen Before
Previous RomCom campaigns against the Ukraine military used fake Advanced IP Scanner software to deliver malware, and the group has also targeted English-speaking countries — especially the UK — with trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro.
Callie Guenther, cyber threat research senior manager at Critical Start, explains that in the most recent campaigns, along with using different software, RomCom also adapted its C2 infrastructure to blend in with legitimate network traffic.
“This could involve using communication protocols commonly associated with political campaigns or healthcare organizations, making it more challenging to detect their malicious activities,” she says.
She adds that social media was an important part of the recent campaigns. “RomCom may employ phishing emails, spear-phishing, or other social engineering techniques tailored to the targeted individuals or organizations,” she explains.
For politicians, they could craft email messages impersonating political colleagues or officials, and in the case of the healthcare company, they might send emails posing as healthcare regulatory authorities or vendors of medical equipment or software.
Guenther says RomCom’s active development of new capabilities and techniques indicates a notable level of sophistication and adaptability.
“This suggests that their target selection may evolve as they refine their tactics and seek new opportunities for compromise,” she says.
How to Defend Against the RomCom APT
Mike Parkin, senior technical engineer at Vulcan Cyber, says the standard defense tactics apply here as they do with any attacker, regardless of whether they are cybercriminal or state sponsored.
“Keep patches up to date. Deploy following industry best practices and vendor ‘secure installation’ recommendations,” he says. “Make sure users are trained and cultivate a secure culture which makes them part of the solution rather than the most vulnerable part of the attack surface.”
Bestuzhev says the threat actor behind RomCom relies on social engineering and trust. So, employee training on how to spot spear phishing is also important.
“Secondly, it’s important to rely on a good cyber threat intelligence program providing contextual, anticipative, and actionable threat intelligence, such as behavior rules to detect RomCom’s ops in the systems, network traffic, and files,” he says. “With this context about RomCom, there is room for building an effective threat modeling based on the tactics, techniques, and procedures (TTP), and geopolitical developments.”