RomCom RAT Using Deceptive Web of Rogue Software Sites for Covert Attacks

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets.

Cybersecurity firm Trend Micro is tracking the activity cluster under the name Void Rabisu, which is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant).

"These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult," security researchers Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin said.

Some of the impersonated apps spotted so far include AstraChat, Devolutions' Remote Desktop Manager, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Evasion Techniques

RomCom 3.0 binaries are protected with VMProtect. Some binaries are also signed with valid certificates. Because the actors decided to use VMProtect’s anti-VM feature, any attempt to run it in a virtual machine (VM) without modification or VM hardening will cause the malware to show an error message and exit (Figure 5).

1685528538045.png

Figure 5. Default VMProtect anti-VM detection in RomCom 3.0 samples

Another interesting technique RomCom uses is the ability to add null bytes appended to the files received from a C&C server. Making the file bigger can be an attempt to avoid sandbox products or security software scanners that impose a file size limit.

In later versions of RomCom, the binary that is hosted on a lure site contains an encrypted payload. To correctly decrypt the payload, it will need to reach out to a web server at the IP address 94.142.138.244 and download the decryption key. We suspect this website is a third-party service that is also being used by other malware, including the Vidar stealer that is also known as StealC. Also, recent RomCom droppers have stopped dropping the worker component. Instead, the network component downloads it from the C&C server.

Some variants are really nasty because they use signed binaries and large files. They can probably evade Smart App Control on Windows 11. In such a case, SmartScreen for Explorer (no SAC) has more chances to warn&block the attack because the signed MSI will be blocked, except when the highly reputable certificate was stolen or the malware was signed with an EV certificate (possible in highly targeted attacks).
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top