RomCom Weaponized KeePass and SolarWinds Instances to Target Ukraine, Maybe UK

The threat actor known as RomCom has been weaponizing SolarWinds, KeePass and PDF Reader Pro instances in a series of new attack campaigns against targets in Ukraine and potentially the United Kingdom.

The discovery comes from the BlackBerry Research & Intelligence Team, who published an advisory about RomCom on Wednesday.

"While Ukraine still appears to be the primary target of this campaign, we believe some English-speaking countries are being targeted as well, including the United Kingdom," reads the document.

"This is based on the terms of service (TOS) of two of the malicious websites and the SSL certificates of a newly created command-and-control (C2)."

As for the attacks themselves, BlackBerry has said RomCom followed a scheme that involved the initial scraping of the legitimate HTML code from the vendor to spoof and the registration of a malicious domain similar to the legitimate one.

The threat actor then trojanized the legitimate application, uploaded a malicious bundle to the decoy website and deployed targeted phishing emails to the victims (in some instances, using additional infection vectors).

"Our team followed the RomCom Netflows and uncovered both spoofed KeePass and PDF Reader Pro sites in the Ukrainian language," reads the advisory. "Both of these spoofed websites host their terms of service pages on the same URL and imply the software providers are hosted by UK companies."

According to BlackBerry, these techniques are similar to and may indicate a connection between the RomCom gang and the Cuba ransomware and Industrial Spy groups.

"Industrial Spy is a relatively new ransomware group that emerged in April 2022," the security team wrote. "However, given the targets' geography and characteristics, combined with the current geopolitical situation, it's unclear if the real motivation of the RomCom threat actor is purely cyber-criminal in nature."

A list of RomCom RAT Indicators of Compromise (IoCs) is available in the original text of the BlackBerry advisory. Its publication comes days after the malware was associated with recent campaigns targeting organizations in Ukraine.

What’s Hot on Infosecurity Magazine?