Analysis of the RomCom RAT Attack: Faking It to Make It

Posted by Marbenz Antonio on January 13, 2023

The RomCom RAT has been circulating – initially in Ukraine, targeting military installations, and now in some countries that speak English such as the United Kingdom.

Initially, the RomCom attack was spread through spear-phishing, but it has since progressed to include techniques such as mimicking legitimate domains and downloads of popular and trustworthy products.

This article, will examine the current situation with RomCom, delve into the issues with digital impersonation, and provide guidance on how to secure software downloads.

RomCom RAT Realities

Contrary to its name, the RomCom RAT is not a light-hearted romantic comedy but a serious cyber-attack where unknown attackers mimic trusted software solutions to gain access to networks. According to The Hacker News, RomCom may be associated with the Cuba ransomware and Industry Spy attacks, as all three use a similar network configuration link. However, this could also be a tactic used by the attackers to distract from their true intentions. Once installed, the RAT has the capability of gathering information, taking screenshots, and sending them to a remote server.

Despite any connection, it may have to cybercrime, the RomCom RAT’s main tactic is to target individuals. By creating legitimate-looking emails from trusted brands, RomCom tricks users into clicking on download links. Additionally, the RomCom RAT actually provides the software being requested, but it also includes a hidden payload. Because the files are often larger than 10 GB, they may not trigger automatic security measures and are instead passed on to security teams for review. Given that the software appears to be legitimate, it may be overlooked. This means that the staff members become both the first line of defense and the primary way for the attack to spread.

The RomCom RAT is malware that primarily targets individuals by disguising itself as legitimate emails from trusted brands. It tricks users into downloading software that contains a hidden payload. The large size of the files, often larger than 10 GB, may allow them to bypass automatic security measures and be overlooked by security teams. This makes the staff members the first line of defense and the primary way for the attack to spread, regardless of any connection it may have to cybercrime.

The Danger of Digital Doppelgangers: RomCom RAT

To distribute the RomCom RAT effectively, hackers impersonated several legitimate companies such as SolarWinds, KeePass, PDF Technologies, and Veeam by creating decoy websites with similar domain names to the real ones, and offering malware-infected software bundles that appeared to be the legitimate company’s application.

The impersonation of legitimate companies, such as SolarWinds, which recently agreed to pay $26 million in a settlement for the 2020 compromise of its Orion network management platform, and KeePass, which is a tool for keeping passwords safe, is particularly problematic. For example, the hackers created a spoofed version of the KeePass installer site, which offered multiple versions of the software for download, but these versions contained the “hlpr.dat” file that had the RomCom RAT dropper and a Setup.exe file that launches the dropper.

The key tactic used by RomCom is to bundle legitimate services with malware payloads. This makes it difficult for users to detect the malware, as the download includes the tool they requested. Unlike other attacks that may be flagged when the downloaded content is found to be different from what was expected, RomCom ensures that employees receive the solution they requested, but also receive a RAT with it.

In practice, this tactic creates a twofold issue. Firstly, the emails and websites appear legitimate, which may cause staff and security teams to not suspect them as malicious. Secondly, the inclusion of actual software along with the RAT tool may prolong the time between the infection and its detection.

Securing Software Downloads

The most straightforward way to avoid RAT infections would be to avoid downloading and installing any software. However, this is not a practical solution as many tools like SolarWinds, and KeePass requires regular updates to maintain their functionality. Additionally, teams rely on downloading solutions like PDF Reader Pro and other digital media managers to enhance their operational efficiency.

Therefore, businesses need to implement strategies to lower the security risks associated with software downloads, regardless of their origin or intended use.

The first strategy is to enable automatic updates for existing tools. This minimizes the risk of RAT infections by eliminating the need for staff to manually seek and install new versions of software. Since these updates come directly from the software provider’s servers, it makes it harder for attackers to interfere with the process.

Another important step is to implement strict download policies that apply to all staff members without exceptions. This is crucial because the recent RomCom SolarWinds attack not only replicated the company’s free trial download page but also included links to the real SolarWinds contact forms. So, if users filled them out, they would receive a response from actual SolarWinds staff. Meanwhile, the download itself was a malware-infected version of the legitimate tool, which contained the RomCom RAT.

This makes it difficult for even tech-savvy staff to identify the spoof and avoid the download. By limiting download permissions, the attack surface is reduced.

Finally, ongoing monitoring of IT environments is crucial to identify potential issues. For example, if a software download from a seemingly trustworthy company contains both the requested app and a hidden RAT, security teams that rely on the assumption that familiar software is safe may view this download as low risk, allowing the malware to operate undetected. By adopting a zero-trust approach, which assumes that all software poses a potential risk, teams are more likely to detect and eliminate malware, regardless of how it entered the system.

Hope for a Happy Ending

The operators of RomCom RAT are using deception to gain access. By mimicking legitimate websites and disguising malware as functional tools, they aim to trick staff and infiltrate enterprise networks.

It is possible to prevent the spread of RomCom RAT. By implementing automatic updates, creating strict download policies, and adopting a zero-trust approach to detecting hidden threats, companies can keep their downloads secure.

Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights