The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom.

Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products.

In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads.

RomCom realities

Despite the name, there’s no quirky cast of characters and relatively easy resolutions when it comes to this RomCom. Instead, unknown attackers are spoofing trusted software solutions to gain network access. As noted by The Hacker News, RomCom may be related to the Cuba ransomware and Industry Spy attacks, since all three use a similar network configuration link. However, this could also be a distraction on the part of RomCom criminals. Once installed, the RAT is capable of collecting information and capturing screenshots and exporting them to an offsite server.

Regardless of its cyber crime connections, however, RomCom’s efforts focus on people. By crafting legitimate-seeming emails supposedly from trusted brands, RomCom convinces users to click through on download links. What’s more, the RomCom RAT actually provides the software in question — albeit along with a hidden payload. With download sizes often over 10 GB, these files may not trigger automatic security protections, instead shunting the details to security teams. Given the trusted nature of the software in question, it may get a pass. The result is a scenario where staff form both the best line of defense and the primary pathway of attack.

So far, no groups or nation-states have claimed responsibility for the RomCom attack. But according to the BlackBerry Threat Research and Intelligence Team, which helped identify the Ukraine attack, “given the geography of the targets and the current geopolitical situation, it’s unlikely the RomCom RAT threat actor is cyber crime-motivated”.

The danger of digital doppelgangers

To effectively distribute the RomCom RAT, hackers spoofed the sites and software of several legitimate companies including SolarWinds, KeePass, PDF Technologies and Veeam. Attackers created decoy websites with similar domain names to their actual corporate counterparts. Then, they created a malware-infected software bundle that contained the spoofed company’s application.

This is especially problematic for brands like SolarWinds, which recently agreed to pay investors $26 million in a settlement for the 2020 compromise of its Orion network management platform. Tools like KeePass, meanwhile, help keep passwords safe. The spoof of the KeePass installer site offers multiple versions for download which contain the “hlpr.dat” file that contains the RomCom RAT dropper, along with a Setup.exe file that launches the dropper.

The real trick here comes with bundling legitimate services alongside malware payloads. Unlike other attack efforts that may be flagged when users discover their download doesn’t include the tool they want, RomCom makes sure that employees get the solution they’re after — but get a RAT along with it.

In practice, this creates a dual problem. First, staff and security teams may not flag these emails and sites as potentially malicious because they look legitimate. Second, the “wrapping” of actual software around the RAT tool may help increase the time between infection and detection.

Securing software downloads

The easiest way to avoid any RAT would be to stop downloading and installing software. However, this approach isn’t practical. From familiar tools like SolarWinds or KeePass, regular updates are critical to ensure continued functionality. Meanwhile, teams regularly download solutions like PDF Reader Pro and other digital media managers to improve operational efficiency.

As a result, enterprises need strategies to reduce download security risks regardless of their source or intended purpose.

First up are automatic updates for existing tools. Eliminating the need for staff to seek out and install new versions of software limits the chance of RAT infections. Since these updates directly link to software provider servers, it becomes much more difficult for attackers to insert themselves into the process.

It’s also critical to establish comprehensive download policies that apply to all staff members, without exceptions. Here’s why. The recent RomCom SolarWinds spoof didn’t just clone the company’s free trial download page. It also included links to actual SolarWinds contact forms — if users filled them out, real SolarWinds staff would respond. The download itself, meanwhile, was a trojanized version of the actual tool which contained the RomCom RAT.

The result? It’s hard for even tech-savvy staff to spot the spoof and avoid the download. By restricting download permissions, the potential attack surface shrinks.

Last but not least is the continual monitoring of IT environments to pinpoint potential problems. Consider a software download from a supposedly trusted company that contains both the app itself and a hidden RAT. Operating on a familiarity-is-sufficient security approach, teams may view this download as low risk. This in turn allows malicious actors to operate unnoticed. By taking the zero trust approach that assumes all software presents a potential risk, teams are more likely to detect and eliminate malware regardless of its entry point.

Hope for a happy ending

RomCom RAT operators are faking it to make it. By spoofing legitimate websites and delivering malware wrapped in real tools, they’re looking to fool staff and make their way into enterprise networks.

But a happy ending to this RomCom remains possible. By opting for automatic over manual updates, establishing clear download policies and leaning into zero trust efforts to help discover threats hiding in plain sight, companies can keep their downloads secure.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today