Security News > 2022 > November > RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam
The threat actor behind the RomCom RAT has refreshed its attack vector and is now abusing well-known software brands for distribution.
In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs.
The downloaded app has been modified to include a malicious DLL that downloads and runs a copy of the RomCom RAT from the "C:UsersuserAppDataLocalTempwinver.dll" folder.
The ZIP file contains several files, including the "Hlpr.dat," which is the RomCom RAT dropper, and "Setup.exe," which launches the dropper.
RomCom RAT was a then-unknown malware supporting ICMP-based communications and offering operators ten commands for file actions, process spawning and spoofing, data exfiltration, and launching a reverse shell.
BlackBerry's previous report on RomCom RAT argued there was no concrete evidence pointing the operation to any known threat actors.
News URL
Related news
- New Malware Campaign Uses PureCrypter Loader to Deliver DarkVision RAT (source)
- BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers (source)
- Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages (source)
- Malicious NPM Packages Target Roblox Users with Data-Stealing Malware (source)
- Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)