Security News > 2022 > November > RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam

RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam
2022-11-03 19:36

The threat actor behind the RomCom RAT has refreshed its attack vector and is now abusing well-known software brands for distribution.

In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs.

The downloaded app has been modified to include a malicious DLL that downloads and runs a copy of the RomCom RAT from the "C:UsersuserAppDataLocalTempwinver.dll" folder.

The ZIP file contains several files, including the "Hlpr.dat," which is the RomCom RAT dropper, and "Setup.exe," which launches the dropper.

RomCom RAT was a then-unknown malware supporting ICMP-based communications and offering operators ten commands for file actions, process spawning and spoofing, data exfiltration, and launching a reverse shell.

BlackBerry's previous report on RomCom RAT argued there was no concrete evidence pointing the operation to any known threat actors.


News URL

https://www.bleepingcomputer.com/news/security/romcom-rat-malware-campaign-impersonates-keepass-solarwinds-npm-veeam/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Solarwinds 44 0 80 95 40 215
Veeam 11 0 8 9 7 24