Security News > 2022 > November > Hackers Using Rogue Versions of KeePass and SolarWinds Software to Distribute RomCom RAT

The operators of RomCom RAT are continuing to evolve their campaigns with rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro.

Targets of the operation consist of victims in Ukraine and select English-speaking countries like the U.K. "Given the geography of the targets and the current geopolitical situation, it's unlikely that the RomCom RAT threat actor is cybercrime-motivated," the BlackBerry Threat Research and Intelligence Team said in a new analysis.

The latest findings come a week after the Canadian cybersecurity company disclosed a spear-phishing campaign aimed at Ukrainian entities to deploy a remote access trojan called RomCom RAT. The unknown threat actor has also been observed leveraging trojanized variants of Advanced IP Scanner and pdfFiller as droppers to distribute the implant.

"If filled out, real SolarWinds sales personnel might contact the victim to follow up on the product trial. That technique misleads the victim into believing that the recently downloaded and installed application is completely legitimate."

Other impersonated versions involve the popular password manager KeePass and PDF Reader Pro, including in the Ukrainian language.

The use of RomCom RAT has also been linked to threat actors associated with the Cuba ransomware and Industrial Spy, according to Palo Alto Networks Unit 42, which is tracking the ransomware group under the constellation-themed moniker Tropical Scorpius.

News URL

https://thehackernews.com/2022/11/hackers-using-rogue-versions-of-keepass.html