Cyber Security Threat Summary:
“The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets. Cybersecurity firm Trend Micro is tracking the activity cluster under the name Void Rabisu, which is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant). ‘These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult,’ security researchers Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin said. Some of the impersonated apps spotted so far include AstraChat, Devolutions' Remote Desktop Manager, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat” (The Hacker News, 2023).

RomCom RAT was first documented by Palo Alto Networks Unit 42 in August 2022, which linked the malware to a financially motivated group associated with the Cuba ransomware. Despite the linkage, researchers at Trend Micro noted that the motives behind this group have changed with Void Rabisu targeting Ukraine and its allies since October 2022, notably after the start of the Russo-Ukraine war.

“Among the targets we have seen based on Trend Micro’s telemetry were a water utility company, entities in the financial and energy sectors, and an IT company in Ukraine. Outside Ukraine, other targets included a local government agency that supports Ukrainian refugees, a defense company in Europe, a high-profile European politician, several IT service providers in Europe and the US, a bank in South America, and a couple of targets located in Asia,” stated researchers at Trend Micro in a recent blog post.

In the attacks targeting Ukraine and its allies, RomCom was distributed via spoofed versions of legitimate software promoted using Google Ads. In other cases, researchers observed the use of spear-phishing emails to target victims including a member of a European parliament in March 2022.

Security Officer Comments:
Taking a closer look at RomCom, researchers noted that the malware is “divided into three components: a loader, a network component that interacts with the command-and-control (C&C) server, and a worker component that performs the actions on the victim’s machine.” When comparing the latest version of RomCom to samples analyzed by Palo Alto’s Unit 42, the malware has evolved, now supporting more than 40 commands (previous versions of RomCom supported up to 20 different commands). Some of the features supported by RomCom include the ability to take screenshots, retrieve browser cookies from various browsers (e.g Google Chrome, Microsoft Edge, Mozilla Firefox, Yandex, etc.) using a stealer known as STEALDEAL, grab crypto wallet data, steal chat messages and FTP credentials, etc.

To evade defenses and sandbox environments, the latest versions of RomCom are protected with VMProtect and employ malware signing and binary encryption. Furthermore, researchers note that RomCom is capable of adding null bytes appended to files retrieved from a C&C server, with some file samples with a size of 1.7 gigabytes being observed. “Making the file bigger can be an attempt to avoid sandbox products or security software scanners that impose a file size limit,” stated researchers at Trend Micro.

Suggested Correction(s):
In general, users should avoid downloading software from third-party sites as actors will typically host domains offering fake software downloads to infect unsuspecting users with malicious payloads. It is also important that organizations train their employees on how to detect and avoid phishing emails as these are also leveraged as an initial infection vector.

Trend Micro also recommends the following activity should be monitored in endpoints to prevent potential RomCom infections:

Downloading and executing MSI packages that contain entries in CustomAction tables referring to DLL exported functions Writing access to SOFTWARE\Classes\CLSID\ under both HKEY_CURRENT_USER (HKCU) and HKEY_LOCAL_MACHINE (HKLM), which can be a sign of COM hijacking Initiation of localhost sockets by rundll32.exe, as RomCom DLLs are loaded by this process — we observed that RomCom listens on the port range 5554-5600 when setting up localhost sockets Binary padding with null bytes, a known technique to evade scanners. Although RomCom didn’t use this feature in our tests, it is present in command 5. We included a YARA ruleset to look for such files in our GitHub research repository. Binary padding with non-zero data, which we observed in one sample when it was dropping another. This alone is not malicious, but it is worth flagging once detected for further investigation.

RomCom IOCs: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/e/void-rabisu’s-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors’-goals-/ioc-list-void-rabisus-use-of-romcom-backdoor-shows-a-growing-shift-in-threat-actors-goals.txt

Link(s):
https://thehackernews.com/2023/05/romcom-rat-using-deceptive-web-of-rogue.html
https://www.trendmicro.com/en_us/re...com-backdoor-shows-a-growing-shift-in-th.html