RomCom malware is being distributed via a range of websites that claim to offer downloads of popular software solutions such as AstraChat, GIMP, Go To Meeting, and ChatGPT, and traffic is being sent to those websites by malicious Google Ads and phishing emails.
RomCom malware is a remote access Trojan that serves as a backdoor into infected systems that has been previously associated with Cuba ransomware, although it is unclear whether the two have been developed by the same threat actor. Palo Alto Networks identified attacks conducted by a Cuba ransomware affiliate in August 2022, who is also known to use RomCom malware. RomCom malware has been used in attacks on targets in Ukraine, which suggest that the attacks are not financially motivated, although attacks are not confined to Ukraine and the malware has been used in North and South America, Europe, and the Philippines.
In the fall of 2022, RomCom malware was being distributed via a network of websites that impersonated legitimate software such as KeePass Password Manager and SolarWinds Network Performance Monitor (NPM), and this year more websites have been created to distribute the malware that claim to offer legitimate software downloads. The number of impersonated brands has been steadily growing, with new websites created as sites are identified as malicious and taken offline.
The threat actor behind the RomCom malware distribution has been using Google Ads to drive traffic to the websites, although phishing emails are also being used. If a user attempts to download software from these websites, they will receive an MSI installer that impersonates the app offered on the website. The installer includes a malicious DLL file that will deliver RomCom malware and other malicious payloads. Those additional payloads include a data exfiltration tool, an instant chat messenger stealer, a cryptocurrency wallet stealer, FTP credential stealer, and a tool that can steal cookies from web browsers.
The malware may be used to provide initial access to ransomware gangs but many of the attacks identified so far in 2023 appear to be geopolitically motivated. To reduce the risk of attacks, organizations should implement cybersecurity solutions to block emails with malicious attachments and URLs, such as SpamTitanPlus. SpamTitanPlus offers faster detection of malicious URLs than any of the current market-leading solutions, and includes AV controls and sandboxing for detecting zero-day malware threats.
Steps should also be taken to block access to the malicious websites used to distribute the malware, such as the Webtitan DNS Filter, which will block access to known malicious websites and can be configured to block downloads of executable files, such as MSI installers.