Trend Micro has discovered a new campaign involving the distribution of the Romcom backdoor malware. This campaign involves impersonating well-known or fake software websites to deceive users into downloading and executing malicious installers.

Researchers at Trend Micro have been monitoring RomCom since the summer of 2022 and have observed that the threat actors behind the malware have enhanced its evasion techniques by implementing payload encryption and obfuscation. Furthermore, they have introduced new and powerful commands to expand the malware’s capabilities.

The websites used to distribute RomCom predominantly focus on remote desktop management applications, indicating a higher likelihood of attackers resorting to phishing or social engineering tactics to target their victims.

RomCom Has Links to Cuba Ransomware

The RomCom malware first emerged in August 2022 and was initially reported by Palo Alto Networks, who attributed the attacks to a Cuba ransomware affiliate named ‘Tropical Scorpius.’ Trend Micro refers to the same threat actor as ‘Void Rabisu’ in their tracking.

In October 2022, Ukraine’s CERT-UA highlighted the usage of RomCom in attacks targeting critical networks within the country.

Around the same time, BlackBerry published a report associating RomCom with Cuba ransomware, confirmed attacks in Ukraine, and noted victims in the United States, Brazil, and the Philippines.

In a subsequent report by BlackBerry in November 2022, it was revealed that RomCom disguised itself as legitimate software such as SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro.

Details of the Current Campaign

Trend Micro’s recent report on RomCom activity reveals a range of deceptive websites employed by malware operators from December 2022 to April 2023. These websites imitate well-known software, including Gimp, Go To Meeting, ChatGPT, WinDirStat, AstraChat, System Ninja, and Devolutions’ Remote Desktop Manager, among others.

The attackers employ targeted phishing emails and Google advertisements to attract victims, primarily focusing on Eastern European regions.

The malicious websites distribute trojanized MSI installers that contain a harmful DLL file named “InstallA.dll,” posing as legitimate application files.

In the latest RomCom payload analyzed by Trend Micro, the malware’s behavior involves extracting three DLLs to the victim’s %PUBLIC%\Libraries folder. These DLLs facilitate communication with the command and control server and execute commands as directed.

Notably, the recent version of RomCom showcases an expanded repertoire of malicious commands, increasing from 20 to 42.

Some noteworthy commands available to RomCom-infected devices include:

• Initiating cmd.exe

• Dropping additional payloads onto the victim’s computer

• Creating processes with spoofed PIDs for camouflage

• Exfiltrating data from the compromised system

• Establishing an SSH-based proxy

• Updating the malware on the infected device

• Running AnyDesk in a hidden window

• Compressing specified folders and sending them to the attackers’ server.

In addition to its existing capabilities, RomCom has been observed delivering additional malware payloads, as reported by the cybersecurity company.

Some of the stealer components downloaded by RomCom on compromised devices include:

• PhotoDirector.dll: A tool for capturing screenshots and compressing them in ZIP archives for exfiltration.

• procsys.dll: A stealer that targets web browser cookies (Chrome, Firefox, Edge).

• wallet.exe: A cryptocurrency wallet stealer.

• msg.dll: A stealer focused on instant messenger chats.

• FileInfo.dll: An FTP credentials stealer that uploads data to an FTP server.

The attackers have also implemented enhanced evasion techniques to evade detection.

The authors of RomCom have implemented new techniques to enhance its capabilities and evade detection. They now utilize VMProtect software for code protection and anti-VM features. The payload is encrypted, with the encryption key retrieved from an external address instead of being hardcoded.

To bypass network monitoring tools, RomCom employs null bytes in its command and control (C2) communication.

Furthermore, the malware downloads software from malicious websites signed by seemingly legitimate companies based in the U.S. and Canada. These companies’ websites often contain fake or plagiarized content.

RomCom has been linked to activities such as ransomware, espionage, and warfare, although the exact motives of its operators remain unclear. Regardless, it poses a versatile and significant threat capable of causing substantial damage.

To aid defenders, Trend Micro has provided a comprehensive list of indicators of compromise (IoCs) and Yara rules to detect and thwart the latest RomCom campaign.