Hackers use versions of SolarWinds, PDF Reader Pro or KeePass software to distribute the RomCom RAT trojan in Ukraine in particular.
Spoofing software widely used by professionals and individuals is one of the techniques used by hackers to distribute their malware. The group that operates the RomCom RAT Trojan has recently evolved its attack vector and campaign to distribute the malicious tool by tricking popular software.
A malicious campaign that mainly affects Ukraine and English-speaking countries
The BlackBerry company, which today secures more than 500 million terminals, has just launched an intelligence and study service on cyber threats. She spotted RomCom RAT dissemination campaigns within Ukrainian military institutions and some English-speaking countries like the UK. Researchers found that the group behind this Trojan used malicious versions of SolarWinds Network Performance Monitor, PDF Reader Pro, and KeePass password manager software.
Palo Alto Networks cyber threat research unit, Unit 42, has also discovered that data backup and recovery solution Veeam Backup and Recovery has been added to the list of hackers. All cyber experts agree that today it is difficult to say with certainty that the motivations of hackers can be purely cybercriminal.
Fake websites that strongly resemble the legitimate sites of the spoofed software
To carry out a campaign, at least in the latest version studied by BlackBerry, hackers trap their victims with decoys, in the form of a website that looks like two drops of water or almost the original site usurped . Then they set up the process of downloading an installation bundle of the supposedly legitimate but malware-laden software. Most of the time, cybercriminals manage to bait their victims, surprisingly, with targeted phishing emails.
As for the practical case, let’s focus on the fake SolarWinds website. On the latter, the user is offered a free trial of the solution, in exchange for filling out a registration form that seems legitimate. If the victim fills it out, real SolarWinds employees are likely to contact them to follow up on the product trial. The user then thinks all the more that the application he has just downloaded and installed is completely legitimate. But you will have understood that he will have actually downloaded a RomCom RAT remote access dropper.
In the case of KeePass, when a user downloads the application from a fake website that imitates the real one, the hacker drops a malicious package on the device. This is in the form of a zip file that contains a Trojan horse. Once unzipped, the file (including Setup.exe) launches the RomCom RAT dropper.
Sources: BlackBerry, @Unit42_Intel via Twitter
2