The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom.
Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products.
In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads.
Despite the name, there’s no quirky cast of characters and relatively easy resolutions when it comes to this RomCom. Instead, unknown attackers are spoofing trusted software solutions to gain network access. As noted by The Hacker News, RomCom may be related to the Cuba ransomware and Industry Spy attacks, since all three use a similar network configuration link. However, this could also be a distraction on the part of RomCom criminals. Once installed, the RAT is capable of collecting information and capturing screenshots and exporting them to an offsite server.
Regardless of its cyber crime connections, however, RomCom’s efforts focus on people. By crafting legitimate-seeming emails supposedly from trusted brands, RomCom convinces users to click through on download links. What’s more, the RomCom RAT actually provides the software in question — albeit along with a hidden payload. With download sizes often over 10 GB, these files may not trigger automatic security protections, instead shunting the details to security teams. Given the trusted nature of the software in question, it may get a pass. The result is a scenario where staff form both the best line of defense and the primary pathway of attack.
So far, no groups or nation-states have claimed responsibility for the RomCom attack. But according to the BlackBerry Threat Research and Intelligence Team, which helped identify the Ukraine attack, “given the geography of the targets and the current geopolitical situation, it’s unlikely the RomCom RAT threat actor is cyber crime-motivated”.
The danger of digital doppelgangers
To effectively distribute the RomCom RAT, hackers spoofed the sites and software of several legitimate companies including SolarWinds, KeePass, PDF Technologies and Veeam. Attackers created decoy websites with similar domain names to their actual corporate counterparts. Then, they created a malware-infected software bundle that contained the spoofed company’s application.
This is especially problematic for brands like SolarWinds, which recently agreed to pay investors $26 million in a settlement for the 2020 compromise of its Orion network management platform. Tools like KeePass, meanwhile, help keep passwords safe. The spoof of the KeePass installer site offers multiple versions for download which contain the “hlpr.dat” file that contains the RomCom RAT dropper, along with a Setup.exe file that launches the dropper.
The real trick here comes with bundling legitimate services alongside malware payloads. Unlike other attack efforts that may be flagged when users discover their download doesn’t include the tool they want, RomCom makes sure that employees get the solution they’re after — but get a RAT along with it.
In practice, this creates a dual problem. First, staff and security teams may not flag these emails and sites as potentially malicious because they look legitimate. Second, the “wrapping” of actual software around the RAT tool may help increase the time between infection and detection.
Securing software downloads
The easiest way to avoid any RAT would be to stop downloading and installing software. However, this approach isn’t practical. From familiar tools like SolarWinds or KeePass, regular updates are critical to ensure continued functionality. Meanwhile, teams regularly download solutions like PDF Reader Pro and other digital media managers to improve operational efficiency.
As a result, enterprises need strategies to reduce download security risks regardless of their source or intended purpose.
First up are automatic updates for existing tools. Eliminating the need for staff to seek out and install new versions of software limits the chance of RAT infections. Since these updates directly link to software provider servers, it becomes much more difficult for attackers to insert themselves into the process.
It’s also critical to establish comprehensive download policies that apply to all staff members, without exceptions. Here’s why. The recent RomCom SolarWinds spoof didn’t just clone the company’s free trial download page. It also included links to actual SolarWinds contact forms — if users filled them out, real SolarWinds staff would respond. The download itself, meanwhile, was a trojanized version of the actual tool which contained the RomCom RAT.
The result? It’s hard for even tech-savvy staff to spot the spoof and avoid the download. By restricting download permissions, the potential attack surface shrinks.
Last but not least is the continual monitoring of IT environments to pinpoint potential problems. Consider a software download from a supposedly trusted company that contains both the app itself and a hidden RAT. Operating on a familiarity-is-sufficient security approach, teams may view this download as low risk. This in turn allows malicious actors to operate unnoticed. By taking the zero trust approach that assumes all software presents a potential risk, teams are more likely to detect and eliminate malware regardless of its entry point.
Hope for a happy ending
RomCom RAT operators are faking it to make it. By spoofing legitimate websites and delivering malware wrapped in real tools, they’re looking to fool staff and make their way into enterprise networks.
But a happy ending to this RomCom remains possible. By opting for automatic over manual updates, establishing clear download policies and leaning into zero trust efforts to help discover threats hiding in plain sight, companies can keep their downloads secure.