Targets have been Ukraine-based but IT companies, food brokers, and food manufacturers in the U.S., Brazil, and the Philippines are also in its crosshairs, BlackBerry says [300 words].
What: The operators of RomCom, a remote access trojan used in recent attacks against the Ukrainian military have now begun spoofing products from SolarWinds and KeePass to distribute the malware to targets in Ukraine and some English-speaking countries including the United Kingdom.
The two products being spoofed are SolarWinds’ Network Performance Monitoring (NPM) tool and KeePass and PDF Reader Pro.
How the attacks work: The RomCom threat actor first scraped original, legitimate HTML code from a SolarWinds page for downloading a trial version of its NPM tool and from a KeePass page for downloading the password manager tool. They then set up malicious domains that looked almost identical to the scraped pages and lured victims to the decoy websites via phishing emails.
Victims who download the free trial version of NPM from the spoofed SolarWinds site, instead get the RomCom RAT. To mislead victims into believing the download is genuine, the decoy SolarWinds website serve up a legitimate SolarWinds registration form. The same sequence—minus the registration from—plays out when someone downloads the KeePass tools from the decoy KeePass website site. The malicious SolarWinds file is digitally signed with a certificate belonging to a Canadian company.
Something to keep an eye on: The RomCom actor is actively tweaking its campaign. They initially used a spoofed version of the Advanced IP Scanner too to distribute its RAT. Then it switched to a spoofed version of a widely used app called PDF Filler for its campaign against the Ukrainian military and now it has begun used Trojanized SolarWinds NPM and KeePass products.
Source: BlackBerry
