top of page

RomCom Malware Campaign Expands with Impersonation of Legitimate Software

A recent investigation by Trend Micro has revealed a new wave of the RomCom malware campaign, which involves imposters creating websites that mimic well-known or fictional software. These malicious sites trick unsuspecting users into downloading and launching infected installers, leading to the installation of the RomCom malware.

Researchers from Trend Micro have been monitoring RomCom since the summer of 2022 and have observed that the threat actors behind the malware have enhanced its evasion techniques. The campaign now employs payload encryption, obfuscation, and incorporates new powerful commands to expand the malware's capabilities.

RomCom is primarily distributed through websites related to remote desktop management applications, making it likely that attackers are using phishing or social engineering tactics to target their victims.

Palo Alto Networks initially reported the first documented use of RomCom in August 2022, linking the attacks to a Cuba ransomware affiliate named 'Tropical Scorpius.' Trend Micro has identified the same actor and uses the name 'Void Rabisu' to track them.

In October 2022, Ukraine's CERT-UA reported that the RomCom malware was being used in targeted attacks against critical networks in the country. A report published by BlackBerry around the same time confirmed the association with Cuba ransomware and also highlighted victims in the United States, Brazil, and the Philippines.

The current RomCom campaign, as detailed by Trend Micro, lists various examples of websites used by the malware operators between December 2022 and April 2023. These sites impersonate legitimate software, including Gimp, Go To Meeting, ChatGPT, WinDirStat, AstraChat, System Ninja, and Devolutions' Remote Desktop Manager, among others.

The fake websites are promoted through targeted phishing emails and Google advertisements, with a significant number of victims located in Eastern Europe.

The malicious websites distribute trojanized MSI installers that appear to be legitimate apps but contain a malicious DLL file ("InstallA.dll"). When executed, this file extracts three additional DLLs to the victim's %PUBLIC%\Libraries folder, enabling command and control server communications and command execution.

The latest version of the RomCom payload analyzed by Trend Micro demonstrates an increase in malicious commands, with the number growing from 20 to 42. These commands provide extensive capabilities to the attackers, including spawning processes with PID spoofing, data exfiltration, setting up proxies via SSH, and running hidden applications like AnyDesk.

Furthermore, Trend Micro has observed cases where RomCom installs additional malware payloads, such as screenshot-snapping tools, web browser cookies stealers, cryptocurrency wallet stealers, and instant messenger chat stealers.

To evade detection, RomCom employs VMProtect software for code protection and anti-VM capabilities. The malware also utilizes encryption for the payload, with the encryption key obtained from an external source. Additionally, the malware incorporates null bytes in its command and control communication to avoid detection by network monitoring tools.

The software downloaded from the malicious websites is signed with seemingly legitimate companies based in the U.S. and Canada, although these companies' websites contain fake or plagiarized content. Dror Liwer, co-founder of cybersecurity company Coro shared a perspective on the threat:

“It has become standard operating procedure for threat actors that develop sophisticated attack methods for political purposes to monetize these techniques by either using them themselves for commercial purposes, or making them available for a fee on the dark web once their political usefulness has been maximized. The fact that a threat actor has political motivations should not lull us into a false sense of security. The techniques developed will end up in the market targeting businesses and individuals for profit.”

RomCom has been associated with ransomware, espionage, and warfare, and the motives of its operators remain unclear. Nevertheless, it poses a versatile threat capable of causing significant damage.

Trend Micro has provided a detailed list of indicators of compromise (IoCs) for the latest RomCom campaign and has released Yara rules to assist defenders in detecting and preventing these attacks.



bottom of page