The operators of RomCom RAT malware are continuing to evolve their campaigns by distributing rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro via fake copycat websites.
Targets of the operation consist of victims in Ukraine and select English-speaking countries like the UK
“Given the geography of the targets and the current geopolitical situation, it’s unlikely that the RomCom RAT threat actor is cybercrime-motivated,” the BlackBerry Threat Research and Intelligence Team said in a new analysis.
The latest findings come a week after the Canadian cybersecurity company disclosed a spear-phishing campaign at Ukrainian entities to deploy a remote access trojan called RomCom RAT.
The unknown threat actor has also been observed leveraging trojanized variants of Advanced IP Scanner and pdfFiller as droppers to distribute the implant.
The latest iteration of the campaign entails setting up decoy lookalike websites with a similar domain name, followed by uploading a malware-laced installer bundle of the malicious software, and then sending phishing emails to targeted victims.
|Fake Keypass website|
|Fake SolarWinds website|
“While downloading a free trial from the spoofed SolarWinds site, a legitimate registration form appears,” the researchers explained.
“If filled out, real SolarWinds sales