ClickCease New RomCom malware uncovered by TrendMicro

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

New RomCom malware uncovered by TrendMicro

June 15, 2023 - TuxCare PR Team

Trend Micro has discovered a new campaign involving a malware called RomCom which tricks users into downloading harmful software by impersonating well-known or fictional websites.

Trend Micro researchers have been monitoring RomCom since summer 2022 and found that the malware has improved its ability to avoid detection and gained new commands. The attackers primarily use websites related to remote desktop management applications, increasing the chances of using phishing or social engineering tactics.

The first known use of RomCom was reported in August 2022 by Palo Alto Networks, attributing the attacks to a ransomware affiliate called ‘Tropical Scorpius.’ Trend Micro refers to the same actor as ‘Void Rabisu.’

RomCom malware was active in 2022 and targeted networks in Ukraine, the United States, Brazil, and the Philippines. It disguised itself as legitimate software, including SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro.

Between December 2022 and April 2023, Trend Micro discovered websites associated with RomCom. These websites pretended to offer popular software like Gimp, Go To Meeting, ChatGPT, WinDirStat, AstraChat, System Ninja, and Devolutions’ Remote Desktop Manager.

The websites distributed trojanized MSI installers that resembled the promised applications but contained a malicious DLL file called “InstallA.dll.” When executed, this file extracted three additional DLLs into the victim’s %PUBLIC%\Libraries folder. These DLLs were responsible for command and control server communications and executing commands.

The latest version of RomCom increased the number of malicious commands from 20 to 42, giving attackers extensive control over compromised systems. The malware could execute processes with PID spoofing, extract data, establish SSH proxies, update itself, run hidden instances of AnyDesk, compress folders, and send them to the attackers’ server.

Trend Micro also discovered that RomCom installed additional malware payloads. These payloads included PhotoDirector.dll, which captured and compressed screenshots for exfiltration, procsys.dll, a web browser cookie stealer, wallet.exe, a cryptocurrency wallet stealer, msg.dll, an instant messenger chat stealer, and FileInfo.dll, an FTP credential stealer.

To protect its code and evade detection, the creators of RomCom used VMProtect software for code protection and anti-virtual machine capabilities. The malware encrypted its payload using an external source for the encryption key. It also employed null bytes in its command and control communication to avoid detection by network monitoring tools.

Malicious websites distribute the software, which is signed by apparently legitimate companies in the U.S. and Canada. However, these companies are fake or have plagiarized content on their websites, indicating a deliberate attempt to deceive users.

The sources for this piece include an article in BleepingComputer.

Summary
New RomCom malware uncovered by TrendMicro
Article Name
New RomCom malware uncovered by TrendMicro
Description
Trend Micro has discovered a new campaign involving a malware called RomCom which tricks users into downloading harmful software.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter