The hacking group RomCom has returned to launch cyberattacks on political targets in Ukraine and a healthcare organization in the United States providing aid to refugees fleeing the country. The group lured victims to download a trojanized version of Devolutions Remote Desktop Manager from a cloned website through phishing tactics. RomCom utilized typosquatting to create a website that closely resembles the legitimate software sites. The trojanized installer would start installing malware after the user selects the destination path and begins collecting essential host and user metadata from the infected system, which is subsequently transmitted to its command-and-control (C2) server.
The focus of the group’s attacks is not money-based but politically oriented. Dmitry Bestuzhev, Senior Director, CTI, BlackBerry, explains that the group relied on previous information to determine what software each target uses and its use. “We saw RomCom targeting military secrets, such as unit locations, defensive and offensive plans, arms, [and] military training programs,” he said. RomCom is after the exfiltration of sensitive information, and in this case, their aim is to determine who the refugees are and get hold of their personal information for further attacks.
The group has used several methods in the past, including fake Advanced IP Scanner software to deliver malware and trojanized versions of popular software products, such as SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro. In the recent campaigns, the group has adapted its C2 infrastructure to blend in with legitimate network traffic, making it more challenging to detect their malicious activities. They also used social media and employed phishing emails, spear-phishing, or social engineering techniques tailored to the targeted individuals or organizations.
The group’s active development of new capabilities and techniques indicates a notable level of sophistication and adaptability. With this development, RomCom’s target selection may evolve as they refine their tactics and seek new opportunities for compromise.
The best approach to defending against RomCom’s APT is to implement standard defense tactics and keep patches up to date. Users should be adequately trained and cultivate a secure culture which makes them part of the solution rather than the most vulnerable part of the attack surface. Bestuzhev suggests relying on a good cyber threat intelligence program that provides contextual, anticipative, and actionable threat intelligence such as behavior rules to detect RomCom’s operations in the systems, network traffic, and files.
The group’s reliance on social engineering tactics and trust highlights the importance of employee training on how to spot spear phishing. Only through a combination of approaches can individuals and organizations hope to defend against this type of sophisticated and adaptable adversary.