For example, the original URL for KeePass is ‘’ and the fake URL is ‘’.Īlways scan files downloaded from the internet with a reputable anti-virus solution. The RomCom threat actors try to spoof the URL to be as close as possible to the original, but it can be noticed if examined carefully. When visiting a website, always double-check the Uniform Resource Locator (URL) of that website for spelling errors or anything suspicious. To circumvent this type of malware campaign, users are advised to follow the steps below: However, the threat actors have seemingly shifted their target worldwide, more notably the United Kingdom.įor a list of IOCs related to this malware campaign, follow the URL for related IP addresses, URLs and hashes: Researchers have stated that the RomCom threat actors originally targeted military institutions in the Ukraine hence the clone Ukrainian websites. It includes ‘hlpr.dat’, which is the RomCom RAT dropper and the launch process that executes the RAT, which is embedded into the ‘setup.exe’ executable meant to install the KeePass software.Ī second clone KeePass website was also discovered in the Ukrainian language along PDF Reader Pro, also in Ukrainian. The software downloaded is a legitimate copy of SolarWinds but has been modified to include a malicious Dynamic-Link Library (DLL) file that downloads and executes the RomCom RAT.įor the clone KeePass website, the threat actors distribute the legitimate KeePass software bundled with their RAT in the ZIP file ‘KeePass-2.52.zip’. The threat actors went so far as to link their website to the official SolarWinds registration form that can be used to contact a SolarWinds customer support agent. The clone SolarWinds NPM website is used to deliver a trojanized version of the free trial of the software. Even similar domain names were registered to make the malicious site seem authentic. The threat actors managed to spoof the original HTML code for the websites which makes it almost impossible to tell the difference between the original and the fake website.
Additionally, Unit 42 from Palo Alto Networks discovered another website that was impersonated, the Veeam Backup and Recovery software. The three websites cloned were SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro. Researchers at Blackberry discovered a new campaign by the RomCom threat actors that seemingly created clone websites to deliver their RAT malware. The threat actors behind the RomCom Remote Access Trojan (RAT) campaign were recently seen producing clones of official websites for SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro, using these websites to deliver their RAT malware disguised in legitimate programs.
0 kommentar(er)
