A new campaign distributing the RomCom backdoor malware has been discovered by Trend Micro. The malware is disguised as well-known or fictional software on impersonated websites, tricking users into downloading and launching malicious installers.
The threat actors behind RomCom have enhanced its evasion techniques through payload encryption and obfuscation, introducing new and powerful commands to expand the tool’s capabilities. The campaign primarily targets remote desktop management applications, indicating a likelihood of attackers utilizing phishing or social engineering tactics.
RomCom has been previously associated with Cuba ransomware, with attacks reported in Ukraine, the United States, Brazil, and the Philippines. The current campaign, analyzed by Trend Micro, provides examples of malicious websites impersonating legitimate software such as Gimp, Go To Meeting, ChatGPT, and more.
These fake sites are promoted through Google advertisements and highly targeted phishing emails, predominantly affecting victims in Eastern Europe. The websites distribute trojanized MSI installers, containing a malicious DLL file, and employ an infection process that involves extracting additional DLLs for command and control communication and execution.
The RomCom payload analyzed by Trend Micro reveals the implementation of additional malicious commands, expanding the attackers’ capabilities. These commands allow actions such as introducing more payloads, making processes appear legitimate, exfiltrating data, setting up proxies, and updating the malware.
Furthermore, RomCom is known to download stealer components on compromised devices, including tools for screenshot-snapping, stealing web browser cookies, cryptocurrency wallets, instant messenger chats, and FTP credentials. The authors of RomCom employ enhanced evasion techniques, using VMProtect software, encryption for the payload, and null bytes in communication to avoid detection.
The software downloaded from malicious websites is signed by seemingly legitimate companies, adding another layer of deception.
RomCom poses a versatile threat associated with ransomware, espionage, and warfare, though the exact intentions of its operators remain unclear. Trend Micro has provided indicators of compromise (IoCs) and Yara rules to aid defenders in detecting and thwarting RomCom attacks.
Defenders must remain vigilant against this adaptable and potentially damaging malware.
