"RomCom Malware Woos Victims With 'Wrapped' SolarWinds, KeePass Software"

The RomCom threat group is actively targeting various English-speaking countries, especially the UK, with a Remote Access Trojan (RAT) using trojanized versions of popular software products such as SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro. The threat research and intelligence team at BlackBerry discovered additional, more widespread campaigns being waged in other geolocations while analyzing a previous RomCom RAT campaign against the Ukrainian military that used fake Advanced IP Scanner software to deliver malware. Based on an analysis of the terms of service and Secure Sockets Layer (SSL) certificates of a new command-and-control (C2) server registered in the UK, the researchers determined that the UK and other English-speaking countries were new RomCom targets. According to Dmitry Bestuzhev, threat researcher at BlackBerry, the UK is now one of the most important RomCom targets, based on Blackberry's analysis. The RomCom RAT is designed to exfiltrate any sensitive data or passwords once it is dropped. Bestuzhev adds that information is valuable, and when it is strategic, it helps the attacker build better offensive strategies and gain an advantage in any domain. Geopolitics will set new objectives. Since RomCom has been widely publicized, the group behind it was expected to change their tactics, techniques, and procedures (TTPs). This is not the group's first strategy shift, as RomCom was publicly associated with ransomware when it was discovered. The most recent campaigns demonstrate that this threat actor's motivation is not monetary. The new targets are defined by a geopolitical agenda. This article continues to discuss the RomCom Advanced Persistent Threat (APT) group expanding its efforts beyond the Ukrainian military into the UK and other English-speaking countries.

Dark Reading reports "RomCom Malware Woos Victims With 'Wrapped' SolarWinds, KeePass Software"