The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom.

Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products.

In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads.

RomCom Realities

Despite the name, there’s no quirky cast of characters and relatively easy resolutions when it comes to this RomCom. Instead, unknown attackers are spoofing trusted software solutions to gain network access. As noted by The Hacker News, RomCom may be related to the Cuba ransomware and Industry Spy attacks, since all three use a similar network configuration link. However, this could also be a distraction on the part of RomCom criminals. Once installed, the RAT is capable of collecting information and capturing screenshots and exporting them to an offsite server.

Regardless of its cyber crime connections, however, RomCom’s efforts focus on people. By crafting legitimate-seeming emails supposedly from trusted brands, RomCom convinces users to click through on download links. What’s more, the RomCom RAT actually provides the software in question — albeit along with a hidden payload. With download sizes often over 10 GB, these files may not trigger automatic security protections, instead shunting the details to security teams. Given the trusted nature of the software in question, it may get a pass. The result is a scenario where staff form both the best line of defense and the primary pathway of attack.

So far, no groups or nation-states have claimed responsibility for the RomCom attack. But according to the BlackBerry Threat Research and Intelligence Team, which helped identify the Ukraine attack, “given the geography of the targets and the current geopolitical situation, it’s unlikely the RomCom RAT threat actor is cyber crime-motivated”.

The Danger of Digital Doppelgangers

To effectively distribute the RomCom RAT, hackers spoofed the sites and software of several legitimate companies including SolarWinds, KeePass, PDF Technologies and Veeam. Attackers created decoy websites with similar domain names to their actual corporate counterparts. Then, they created a malware-infected software bundle that contained the spoofed company’s application.

This is especially problematic for brands like SolarWinds, which recently agreed to pay investors $26 million in a settlement for the 2020 compromise of its Orion network management platform. Tools like KeePass, meanwhile, help keep passwords safe. The spoof of the KeePass installer site offers multiple versions for download which contain the “hlpr.dat” file that contains the RomCom RAT dropper, along with a Setup.exe file that launches the dropper.

The real trick here comes with bundling legitimate services alongside malware payloads. Unlike other attack efforts that may be flagged when users discover their download doesn’t include the tool they want, RomCom makes sure that employees get the solution they’re after — but get a RAT along with it.

In practice, this creates a dual problem. First, staff and security teams may not flag these emails and sites as potentially malicious because they look legitimate. Second, the “wrapping” of actual software around the RAT tool may help increase the time between infection and detection.

Securing Software Downloads

The easiest way to avoid any RAT would be to stop downloading and installing software. However, this approach isn’t practical. From familiar tools like SolarWinds or KeePass, regular updates are critical to ensure continued functionality. Meanwhile, teams regularly download solutions like PDF Reader Pro and other digital media managers to improve operational efficiency.

As a result, enterprises need strategies to reduce download security risks regardless of their source or intended purpose.

First up are automatic updates for existing tools. Eliminating the need for staff to seek out and install new versions of software limits the chance of RAT infections. Since these updates directly link to software provider servers, it becomes much more difficult for attackers to insert themselves into the process.

It’s also critical to establish comprehensive download policies that apply to all staff members, without exceptions. Here’s why. The recent RomCom SolarWinds spoof didn’t just clone the company’s free trial download page. It also included links to actual SolarWinds contact forms — if users filled them out, real SolarWinds staff would respond. The download itself, meanwhile, was a trojanized version of the actual tool which contained the RomCom RAT.

The result? It’s hard for even tech-savvy staff to spot the spoof and avoid the download. By restricting download permissions, the potential attack surface shrinks.

Last but not least is the continual monitoring of IT environments to pinpoint potential problems. Consider a software download from a supposedly trusted company that contains both the app itself and a hidden RAT. Operating on a familiarity-is-sufficient security approach, teams may view this download as low risk. This in turn allows malicious actors to operate unnoticed. By taking the zero trust approach that assumes all software presents a potential risk, teams are more likely to detect and eliminate malware regardless of its entry point.

Hope for a Happy Ending

RomCom RAT operators are faking it to make it. By spoofing legitimate websites and delivering malware wrapped in real tools, they’re looking to fool staff and make their way into enterprise networks.

But a happy ending to this RomCom remains possible. By opting for automatic over manual updates, establishing clear download policies and leaning into zero trust efforts to help discover threats hiding in plain sight, companies can keep their downloads secure.

More from Risk Management

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison. But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…