RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom
Summary
The threat actor known as RomCom is running a series of new attack campaigns that take advantage of the brand power of SolarWinds, KeePass, and PDF Technologies. The BlackBerry Threat Research and Intelligence Team uncovered the campaigns while analyzing network artifacts unearthed during our recent report on RomComRAT, which was targeting Ukrainian military institutions through spoofed versions of Advanced IP Scanner software.
In our latest discovery, our team found RomCom impersonating the following products in their campaigns: SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro.
While Ukraine still appears to be the primary target of this campaign, we believe some English-speaking countries are being targeted as well, including the United Kingdom. This is based on the terms of service (TOS) of two of the malicious websites and the SSL certificates of a newly created command-and-control (C2).
Given the geography of the targets and the current geopolitical situation, it's unlikely that the RomCom RAT threat actor is cybercrime-motivated.
Attack Vector
In preparation for an attack, the RomCom threat actor performs the following simplified scheme: scraping the original legitimate HTML code from the vendor to spoof, registering a malicious domain similar to the legitimate one, Trojanizing a legitimate application, uploading a malicious bundle to the decoy website, deploying targeted phishing emails to the victims, or in some instances, using additional infector vectors, which we will go into in more detail below.
RomCom Weaponization
RomCom SolarWinds Network Performance Monitor Campaign
Take a look at the two screen shots below to see how the real SolarWinds NPM site and the spoofed site compare.
Figure 2 – Fake SolarWinds website
The deployment of this attack is through a Trojanized version of the SolarWinds Network Performance Monitoring (NPM) application. While downloading a free trial from the spoofed SolarWinds site, a legitimate registration form appears. If filled out, real SolarWinds sales personnel might contact the victim to follow up on the product trial. That technique misleads the victim into believing that the recently downloaded and installed application is completely legitimate. Instead, the victim has unknowingly downloaded a dropper for the malicious RomCom remote access Trojan (RAT).
Hashes (md5, sha-256) |
7c003b4f8b3c0ab0c3f8cb933e93d301 246dfe16a9248d7fb90993f6f28b0ebe87964ffd2dcdb13105096cde025ca614 |
File Name |
Solarwinds-Orion-NPM-Eval.zip |
File Size |
124,671,897 bytes |
Figure 3 – Extracted contents of "SolarWinds-Orion-NPM-Eval.zip"
The “Solarwinds-Orion-NPM-Eval.exe” file contains a digital certificate from “Wechapaisch Consulting & Construction Limited.” The threat actor previously used the same certificate information in the “advancedipscanner.msi” file, a detail which we uncovered in our previous investigation into this threat actor. It is important to note that the legitimate file is digitally signed by “SolarWinds Worldwide, LLC.”
The “Solarwinds-Orion-NPM-Eval.exe” contains three embedded x64 files in the resource section:
- X86 – Contains “c:\users\123\source\repos\ins_asi\win32\release\instlib.pdb,” the same PDB path we have previously seen in the “setup.exe” files.
- X87 – A clean, digitally signed, SolarWinds Orion installer.
- X88 – RomCom RAT dropper. This DLL invokes “rundll32.exe” and runs the “fwdTst” export, which drops x64 RomCom RAT in “C:\Users\user\AppData\Local\Temp\winver.dll” location.
Hashes (md5, sha-256) |
4E4ECA58B896BDB6DB260F21EDC7760A ABE9635ADBFEE2D2FBAEA140625C49ABE3BAA29C44FB53A65A9CDA02121583EE |
ITW File Name |
combase32.dll, winver.dll |
Compilation Stamp |
Tue Aug 02 16:20:43 2022 |
File Type/Signature |
PE 64 DLL |
File Size |
623616 bytes |
Compiler Name/Version |
Microsoft Visual C++ |
C2 |
combinedresidency[.]org |
KeePass RomCom Campaign
On Nov. 1, the BlackBerry Threat Research and Intelligence Team made another discovery. The RomCom team created a new attack campaign abusing a popular password keeper called KeePass. When someone downloads the application from the fake but legitimate-looking KeePass website, the attacker drops a malicious bundle onto the victim’s machine with the name "KeePass-2.52."
Figure 5 – Fake KeePass website
The fake KeePass.org website drops a Trojanized bundle called "KeePass-2.52.zip." Once unpacked, it contains the following files:
Figure 6 – Contents of the malicious archive
As shown in the screenshot above, two malicious files are contained in the KeePass-2.52.zip file:
- Setup.exe – The file that launches the RomCom RAT dropper: PDB C:\Users\123\source\repos\ins_asi\Win32\Release\setup.pdb
- hlpr.dat is a RomCom RAT dropper.
Our team followed the RomCom Netflows and uncovered both spoofed KeePass and PDF Reader Pro sites in Ukrainian language. Both of these spoofed websites host their terms of service pages on the same URL and imply the software providers are hosted by UK companies.
href="privacy/uk_privacy.html"
href="privacy/uk_term.html"
href="privacy/uk_disclaimer.html"
Figure 8 – PDF Reader Pro spoofed website in Ukrainian
Netflow analysis by the BlackBerry Research and Intelligence Team also led to the discovery of a new C2 registered on Oct. 27, utilizing SSL certificates that emulate UK ownership:
Issuer: C=GB, ST=Greater London, L=Harmondsworth, O=British Government, OU=dgtlocean.com, CN=ca dgtlocean.com/emailAddress=ca(at)mail.com Issuer: C=GB, ST=Greater London, L=London, O=Government Digital Service, OU=you-supported.com, CN=ca you-supported.com/em
depth=0 C = GB, ST = British, L = Chesterfield, O = Royal Mail Group Ltd, OU = Group1, CN = Group1.A, emailAddress = server(at)mail.com
Conclusions
The RomCom threat actor is actively deploying new campaigns targeting victims in Ukraine and English-speaking targets worldwide. Based on the TOS, it is possible that victims in the United Kingdom are a new target, while Ukraine continues to be the main focus.
It’s important to note:
- The Trojanized bundles that the threat actor built do not indicate the mentioned vendors were compromised
- The legitimate companies are not involved in any attack
- The threat actors created fake websites to mimic the real ones
RomCom RAT, Cuba Ransomware, and Industrial Spy have an apparent connection. Industrial Spy is a relatively new ransomware group that emerged in April 2022. However, given the targets' geography and characteristics, combined with the current geopolitical situation, it's unclear if the real motivation of the RomCom threat actor is purely cybercriminal in nature.
RomCom RAT Indicators of Compromise (IoCs)
Filename MD5 SHA256 |
Solarwinds-Orion-NPM-Eval.zip 7C003B4F8B3C0AB0C3F8CB933E93D301 246DFE16A9248D7FB90993F6F28B0EBE87964FFD2DCDB13105096CDE025CA614 |
Filename MD5 SHA256 |
KeePass-2.52.zip 1a21a1e626fd342e794bcc3b06981d2c 596eaef93bdcd00a3aedaf6ad6d46db4429eeba61219b7e01b1781ebbf6e321b |
Filename MD5 SHA256 |
Solarwinds-Orion-NPM-Eval.exe D1A84706767BFB802632A262912E95A8 9D3B268416D3FAB4322CC916D32E0B2E8FA0DE370ACD686873D1522306124FD2 |
Type MD5 SHA256
MD5 SHA256 |
RomCom RAT Dropper CB933F1C913144A8CA6CFCFD913D6D28 AC09CBFEE4CF89D7B7A755C387E473249684F18AA699EB651D119D19E25BFF34
8284421bbb94f3c37f94899cdcd19afd 8b8dff5d30802fd79b76ee1531e7d050184a07570201ef1cd83a7bb8fa627cb0 |
Type MD5 SHA256
MD5 SHA256 |
RomCom RAT Launcher (Setup.exe) 6310A2063687800559AE9D65CFF21B0A F7013CE417FCBA0F36C4B9BF5F8F6E0E2B14D6ED33FF4D384C892773508E932E
550f42c5b555893d171285dc8b15b4b5 5f187393acdeb67e76126353c74b6080d3e6ccf28ae580658c670d8b6e4aacc1 |
Type MD5 SHA256
MD5 SHA256 |
RomCom RAT Payload 4E4ECA58B896BDB6DB260F21EDC7760A ABE9635ADBFEE2D2FBAEA140625C49ABE3BAA29C44FB53A65A9CDA02121583EE
a7172aef66bb12e1bb40a557bb41e607 3252965013ec861567510d54a97446610edba5da88648466de6b3145266386d9 |
You might also be interested in: