Threat Management, Malware

RomCom RAT targets Ukraine and possibly English-speaking countries

A blue and yellow Ukrainian flag flies among ruins
A Ukrainian flag flies above the ruins of buildings destroyed during fighting between Ukrainian and Russian occupying forces on Oct. 24, 2022, in Kam'yanka, Kharkiv oblast, Ukraine. (Photo by Carl Court/Getty Images)

Researchers on Wednesday reported that the RomCom threat group has been running a series of new attacks via a remote access trojan (RAT) that leverage the brands of SolarWinds, KeePass, and PDF Technologies.

In a blog post, BlackBerry researchers said while RomCom has primarily been targeting Ukraine, they believe that some English-speaking countries have been targeted, including the United Kingdom.

Given the geography of the targets and the current geopolitical situation, the BlackBerry researchers say it's unlikely the RomCom RAT threat actor is cybercrime-motivated.

Given the targets and the nature of the attack, there's more than just a cybercriminal motivation in play, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said with the current geopolitical situation, it's quite likely there’s a state-level involvement behind the scenes. 

“At its core, though, this is an attack against human targets,” Parkin said. “They are primarily relying on victims being social engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.”

The RomCom attack looks like a direct copycat of some attacks we investigated during the pandemic where we saw a number of vendor products support tools being mimicked or "wrapped" with malware, said Andrew Barratt, vice president at Coalfire.

“The ‘wrapping’ means that the underlying legitimate tool is still deployed, but as part of that deployment some malware is dropped into the target environment,” Barratt said. “Major APTs like FIN7 have used these tactics in the past. Leveraging well-known brands that they have probably identified are in use gives an intruder a high possibility of a positive response by a user they mislead.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.