Security News > 2022 > November > RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam
The threat actor behind the RomCom RAT has refreshed its attack vector and is now abusing well-known software brands for distribution.
In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs.
The downloaded app has been modified to include a malicious DLL that downloads and runs a copy of the RomCom RAT from the "C:UsersuserAppDataLocalTempwinver.dll" folder.
The ZIP file contains several files, including the "Hlpr.dat," which is the RomCom RAT dropper, and "Setup.exe," which launches the dropper.
RomCom RAT was a then-unknown malware supporting ICMP-based communications and offering operators ten commands for file actions, process spawning and spoofing, data exfiltration, and launching a reverse shell.
BlackBerry's previous report on RomCom RAT argued there was no concrete evidence pointing the operation to any known threat actors.